VYPR
Moderate severityOSV Advisory· Published Feb 3, 2026· Updated Feb 3, 2026

Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

CVE-2026-25489

Description

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/commercePackagist
>= 5.0.0-RC1, < 5.5.25.5.2
craftcms/commercePackagist
>= 4.0.0-RC1, < 4.10.14.10.1

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.