CVE-2026-25485

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1

Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The issue resides in the Shipping Categories (Name & Description) fields within the Store Management section of the admin panel. Improper sanitization of input in these fields allows attackers to inject malicious JavaScript code. Successful exploitation can lead to the execution of arbitrary JavaScript in an administrator’s browser. An attacker could potentially escalate privileges to administrator level by exploiting this issue, especially if an elevated session exists. The attacker can leverage the XSS to create a fake 'Session Expired' login modal, tricking administrators into submitting their credentials. The vulnerable fields are located at the /admin/commerce/store-management/primary/shippingcategories endpoint. The Name and Description parameters are vulnerable to XSS attacks.

Recommendations Craft Commerce versions 4.0.0-RC1 through 4.10.0 should be updated to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1 should be updated to version 5.5.2 or later.