CVE-2026-25490

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1

Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The issue stems from insufficient sanitization of the 'Address Line 1' field within Inventory Locations before display in the admin panel. This allows attackers to inject malicious JavaScript code that executes in an administrator’s browser. An attacker could potentially escalate privileges to administrator level by exploiting this issue, especially if an elevated session exists. The proof of concept demonstrates that an attacker can inject a payload into the 'Address Line 1' field, which then executes JavaScript when the page is loaded. A malicious payload can be used to steal administrator credentials through a fake login modal or directly elevate the attacker’s account to admin status.

Recommendations Craft Commerce versions 4.0.0-RC1 through 4.10.0 should be upgraded to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1 should be upgraded to version 5.5.2 or later.