{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25489", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T16:31:35.823Z", "datePublished": "2026-02-03T18:07:40.168Z", "dateUpdated": "2026-02-03T20:34:09.676Z"}, "containers": {"cna": {"title": "Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc"}, {"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"}, {"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"}, {"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"version": ">= 4.0.0-RC1, < 4.10.1", "status": "affected"}, {"version": ">= 5.0.0, < 5.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T18:07:40.168Z"}, "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."}], "source": {"advisory": "GHSA-v585-mf6r-rqrc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T20:32:00.751102Z", "id": "CVE-2026-25489", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:34:09.676Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25489", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T20:32:00.751102Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:32:06.758Z"}}], "cna": {"title": "Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation", "source": {"advisory": "GHSA-v585-mf6r-rqrc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"status": "affected", "version": ">= 4.0.0-RC1, < 4.10.1"}, {"status": "affected", "version": ">= 5.0.0, < 5.5.2"}]}], "references": [{"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc", "name": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "name": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "name": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T18:07:40.168Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25489", "state": "PUBLISHED", "dateUpdated": "2026-02-03T20:34:09.676Z", "dateReserved": "2026-02-02T16:31:35.823Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T18:07:40.168Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "6EFA9347-254D-4D9E-84B1-8C0FFCC377F9", "versionEndExcluding": "4.10.1", "versionStartIncluding": "4.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "65ADAE4B-A19C-4FB1-AE39-8CF4AF57499B", "versionEndExcluding": "5.5.2", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*", "matchCriteriaId": "2B409639-1C00-4E9C-950E-77058C40A5F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*", "matchCriteriaId": "E4B4BB43-0D60-4F6F-9F6F-1F7B3AF75EBA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."}], "id": "CVE-2026-25489", "lastModified": "2026-02-10T18:08:57.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T19:16:26.667", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:11:59.042108+00:00", "value": {"mitigation_remediation": ["Upgrade Craft Commerce to version 4.10.1 or newer, or to 5.5.2 or newer, to apply the vendor patch.", "If an upgrade cannot be performed immediately, restrict admin console access to trusted administrators only and monitor for suspicious content in Tax Zone Name and Description fields.", "After applying the patch, review and sanitize existing Tax Zone entries to remove any embedded scripts that may still be stored in the database."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Stored XSS in Craft Commerce Tax Zone fields"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of Craft CMS Commerce in the affected version ranges. Vendors include Craft CMS under the product name Craft Commerce. The impacted versions are 4.0.0\u2011RC1 to 4.10.0 and 5.0.0 to 5.5.1. Any deployment using those releases should verify the current version and assess whether the vulnerable tax zone data has been stored.", "description_and_impact": "Craft Commerce versions 4.0.0\u2011RC1 through 4.10.0 and 5.0.0 through 5.5.1 contain a stored cross\u2011site scripting flaw that arises when the Name or Description fields of Tax Zones are not properly sanitized. When an attacker injects malicious JavaScript into these fields, the code is executed in the browser of anyone who views the tax zone entries in the administrator control panel. This can allow session theft, phishing, or other malicious actions within the admin interface, effectively leading to privilege escalation or abuse of administrative privileges.", "risk_and_exploitability": "The CVSS score of 6.1 indicates medium severity, while the EPSS score of less than 1% shows a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require access to the administrator console, either through pre\u2011existing administrative credentials or successful compromise of an admin account, to submit malicious payloads into the vulnerable fields."}}}}, "created": "2026-02-04T12:08:41.822204+00:00", "updated": "2026-04-18T14:15:04.135399+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$commerce"]}