Moderate severityOSV Advisory· Published Feb 3, 2026· Updated Feb 4, 2026
Craft Commerce has Stored XSS in Product Type Name
CVE-2026-25484
Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/commercePackagist | >= 5.0.0, < 5.5.2 | 5.5.2 |
craftcms/commercePackagist | >= 4.0.0-RC1, < 4.10.1 | 4.10.1 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-2h2m-v2mg-656cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25484ghsaADVISORY
- github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75cghsax_refsource_MISCWEB
- github.com/craftcms/commerce/releases/tag/4.10.1ghsax_refsource_MISCWEB
- github.com/craftcms/commerce/releases/tag/5.5.2ghsax_refsource_MISCWEB
- github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.