C
raft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
References
| Link | Resource |
|---|---|
| https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c | Patch |
| https://github.com/craftcms/commerce/releases/tag/4.10.1 | Release Notes |
| https://github.com/craftcms/commerce/releases/tag/5.5.2 | Release Notes |
| https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
10 Feb 2026, 18:13
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Craftcms
Craftcms craft Commerce |
|
| CPE | cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:* cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:* cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
| References | () https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c - Patch | |
| References | () https://github.com/craftcms/commerce/releases/tag/4.10.1 - Release Notes | |
| References | () https://github.com/craftcms/commerce/releases/tag/5.5.2 - Release Notes | |
| References | () https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c - Exploit, Vendor Advisory |
03 Feb 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-03 19:16
Updated : 2026-02-10 18:13
NVD link : CVE-2026-25484
Mitre link : CVE-2026-25484
CVE.ORG link : CVE-2026-25484
JSON object : View
Products Affected
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')