CVE-2026-25485

Sažetak

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Reference

https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

04-02-2026 - 16:33

Objavljeno

03-02-2026 - 19:16