Moderate severityOSV Advisory· Published Feb 3, 2026· Updated Feb 3, 2026
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
CVE-2026-25489
Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/commercePackagist | >= 5.0.0-RC1, < 5.5.2 | 5.5.2 |
craftcms/commercePackagist | >= 4.0.0-RC1, < 4.10.1 | 4.10.1 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-v585-mf6r-rqrcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25489ghsaADVISORY
- github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839eeghsax_refsource_MISCWEB
- github.com/craftcms/commerce/releases/tag/4.10.1ghsax_refsource_MISCWEB
- github.com/craftcms/commerce/releases/tag/5.5.2ghsax_refsource_MISCWEB
- github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.