{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25488", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T16:31:35.823Z", "datePublished": "2026-02-03T18:07:25.106Z", "dateUpdated": "2026-02-04T21:13:48.706Z"}, "containers": {"cna": {"title": "Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8"}, {"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"}, {"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"}, {"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"version": ">= 4.0.0-RC1, < 4.10.1", "status": "affected"}, {"version": ">= 5.0.0, < 5.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T18:07:25.106Z"}, "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."}], "source": {"advisory": "GHSA-p6w8-q63m-72c8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T21:13:40.929885Z", "id": "CVE-2026-25488", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:13:48.706Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25488", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T21:13:40.929885Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:13:45.457Z"}}], "cna": {"title": "Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation", "source": {"advisory": "GHSA-p6w8-q63m-72c8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"status": "affected", "version": ">= 4.0.0-RC1, < 4.10.1"}, {"status": "affected", "version": ">= 5.0.0, < 5.5.2"}]}], "references": [{"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8", "name": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "name": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "name": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T18:07:25.106Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25488", "state": "PUBLISHED", "dateUpdated": "2026-02-04T21:13:48.706Z", "dateReserved": "2026-02-02T16:31:35.823Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T18:07:25.106Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "6EFA9347-254D-4D9E-84B1-8C0FFCC377F9", "versionEndExcluding": "4.10.1", "versionStartIncluding": "4.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "65ADAE4B-A19C-4FB1-AE39-8CF4AF57499B", "versionEndExcluding": "5.5.2", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*", "matchCriteriaId": "2B409639-1C00-4E9C-950E-77058C40A5F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*", "matchCriteriaId": "E4B4BB43-0D60-4F6F-9F6F-1F7B3AF75EBA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."}], "id": "CVE-2026-25488", "lastModified": "2026-02-10T18:10:27.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T19:16:26.517", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:12:19.437766+00:00", "value": {"mitigation_remediation": ["Upgrade Craft Commerce to version 4.10.1, 5.5.2, or later to remove the unsanitized input handling.", "Limit the ability to edit Tax Category Name and Description fields to a minimal set of trusted administrator roles to reduce the attack surface.", "Deploy a Content Security Policy that disallows inline scripts and limits script execution in the administrative interface, thereby mitigating the impact of any remaining stored XSS payloads."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting in administrative Tax Category fields can lead to privilege escalation or session hijacking when an attacker injects malicious JavaScript that runs in an administrator\u2019s browser."}, "threat_synthesis": {"affected_systems": "Affected vendors include CraftCMS Commerce. In particular, Craft Commerce releases 4.0.0\u2011RC1 to 4.10.0 and 5.0.0 to 5.5.1 are vulnerable. The vulnerability is fixed in releases 4.10.1 and 5.5.2 and later. All other versions are unaffected.", "description_and_impact": "Craft Commerce versions 4.0.0\u2011RC1 through 4.10.0 and 5.0.0 through 5.5.1 allow stored XSS via the Name and Description fields of Tax Categories in the Store Management section. The input in these fields is not sanitized before being rendered in the admin panel, enabling an attacker to inject JavaScript that executes with the privileges of the logged\u2011in administrator. An attacker could steal session cookies, gain elevated access, or modify site content, providing a foothold for broader compromise.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low, and the item is not listed in the CISA KEV catalog. Exploitation requires the attacker to either authenticate as an administrator or otherwise find a path to edit Tax Category entries; thus it is likely to be limited to compromised or vulnerable admin accounts. If the attacker gains such access, arbitrary JavaScript execution could lead to credential theft and privilege escalation within the Craft CMS environment."}}}}, "created": "2026-02-04T12:08:48.205546+00:00", "updated": "2026-04-18T00:15:31.790852+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$commerce"]}