CVE-2026-25486

Sažetak

Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.

Reference

https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/5.5.2
https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

04-02-2026 - 16:33

Objavljeno

03-02-2026 - 19:16