CVE-2026-25482

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1

Description A stored DOM Cross-Site Scripting (XSS) issue exists within the "Recent Orders" dashboard widget. The Order Status Name is rendered using JavaScript string concatenation without appropriate escaping, which allows for script execution when an administrator accesses the dashboard. The issue occurs because the value.name variable, representing the Order Status Name, is directly concatenated into an HTML string without sanitization. This allows malicious tags or scripts within the name to be executed when the HTML is inserted into the DOM. The vulnerable file is vendor/craftcms/commerce/src/templates/ components/widgets/orders/recent/body.twig.

Recommendations Craft Commerce versions 4.0.0-RC1 through 4.10.0: Update to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1: Update to version 5.5.2 or later.