Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Description
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "email_templates_key" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Os Commerce is vulnerable to stored XSS via the email_templates_key parameter, allowing attackers to execute arbitrary JavaScript in admin browsers.
Vulnerability
Os Commerce, an open-source e-commerce platform used for creating online stores, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability resides in the /admin/email/templates-save endpoint, where the email_templates_key parameter is insufficiently sanitized. This allows an attacker to inject arbitrary JavaScript code that gets stored and subsequently executed when an administrator views the affected email template. The vulnerability affects all versions of Os Commerce prior to the release of a security patch.
Exploitation
An attacker requires network access to the Os Commerce admin panel and authenticated session credentials with sufficient privileges to access the email template management functionality. The attacker crafts a malicious payload, such as `, and submits it via the email_templates_key parameter in a POST request to /admin/email/templates-save`. The injected script is stored in the application. When an administrator navigates to the email templates page or previews the affected template, the payload executes in their browser context.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the authenticated administrator's browser. This can lead to session hijacking, defacement of the admin interface, theft of sensitive data (such as admin credentials or customer information), and potentially further compromise of the e-commerce platform by leveraging the admin's privileges [2].
Mitigation
As of the publication date of this advisory, no official patch has been released by osCommerce [1]. The vendor has not publicly acknowledged the vulnerability or provided a fixed version. Until a patch is available, administrators should restrict access to the admin panel to trusted networks, enforce strong authentication, and consider using a web application firewall (WAF) to filter malicious input [2]. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Os Commerce/Os Commercev5Range: 4.12.56860
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.