Moderate severityOSV Advisory· Published Feb 3, 2026· Updated Feb 4, 2026
Craft Commerce has Stored XSS in Product Type Name
CVE-2026-25484
Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/commercePackagist | >= 5.0.0, < 5.5.2 | 5.5.2 |
craftcms/commercePackagist | >= 4.0.0-RC1, < 4.10.1 | 4.10.1 |
Affected products
1Patches
11 file changed · +1 −1
src/templates/settings/producttypes/index.twig+1 −1 modified@@ -41,7 +41,7 @@ {% set tableData = tableData|merge([{ id: type.id, - title: type.name|t('site'), + title: type.name|t('site')|e, url: type.cpEditUrl, handle: type.handle|e, maxVariants: type.maxVariants ?? '',
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-2h2m-v2mg-656cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25484ghsaADVISORY
- github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75cghsax_refsource_MISCWEB
- github.com/craftcms/commerce/releases/tag/4.10.1ghsax_refsource_MISCWEB
- github.com/craftcms/commerce/releases/tag/5.5.2ghsax_refsource_MISCWEB
- github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.