CVE-2026-25482
Unknown Unknown - Not Provided
Stored DOM XSS in Craft Commerce Dashboard Widget Allows Admin Script Execution

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25482
EUVD
EUVD-2026-5211
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
craftcms craft_commerce From 4.0.1 (inc) to 4.10.1 (exc)
craftcms craft_commerce From 5.0.0 (inc) to 5.5.2 (exc)
craftcms craft_commerce 4.0.0
craftcms craft_commerce 4.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25482 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability in the CraftCMS Commerce plugin, specifically in the "Recent Orders" dashboard widget.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the Order Status Name is rendered via JavaScript string concatenation without proper escaping. This means that if an attacker with admin permissions sets the Order Status Name to a malicious script, that script will execute when any admin views the dashboard.'}, {'type': 'paragraph', 'content': "The root cause is that the Order Status Name is directly inserted into the HTML string without sanitization, allowing malicious scripts embedded in the status name to run in the admin's browser."}, {'type': 'paragraph', 'content': 'This issue affects versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, and has been patched in versions 4.10.1 and 5.5.2.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with admin permissions to inject malicious scripts into the Order Status Name.'}, {'type': 'paragraph', 'content': 'When any admin visits the dashboard with the "Recent Orders" widget displaying orders with the malicious status, the script executes in their browser.'}, {'type': 'paragraph', 'content': 'This can lead to unauthorized actions such as session hijacking, data theft, or other malicious activities performed in the context of the admin user.'}, {'type': 'paragraph', 'content': 'Because exploitation requires admin access to create or edit Order Statuses, the risk is limited to scenarios where an attacker already has elevated privileges.'}] [1]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Craft Commerce installation is running a vulnerable version (from 4.0.0-RC1 to 4.10.0 or from 5.0.0 to 5.5.1) and by inspecting the Order Status Names for malicious script payloads.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves stored DOM XSS in the "Recent Orders" dashboard widget, detection involves verifying if any Order Status Names contain suspicious or malicious JavaScript code.'}, {'type': 'paragraph', 'content': 'Suggested commands or steps include:'}, {'type': 'list_item', 'content': "Query the database for Order Status Names containing suspicious HTML or JavaScript tags, for example using SQL commands like: SELECT * FROM order_statuses WHERE name LIKE '%<script%' OR name LIKE '%onerror=%';"}, {'type': 'list_item', 'content': 'Check the version of Craft Commerce installed by running: composer show craftcms/commerce or checking the version in the admin dashboard.'}, {'type': 'list_item', 'content': 'Manually review the "Recent Orders" dashboard widget for unexpected script execution or unusual behavior when viewing orders with custom statuses.'}] [1]

Mitigation Strategies

The immediate mitigation steps are to update Craft Commerce to a patched version where this vulnerability is fixed.

  • Upgrade to version 4.10.1 or later if you are on the 4.x branch.
  • Upgrade to version 5.5.2 or later if you are on the 5.x branch.

If immediate upgrade is not possible, review and sanitize all Order Status Names to remove any malicious scripts or HTML tags.

The underlying fix involves escaping the Order Status Name and color using the Craft.escapeHtml() function in the JavaScript rendering code to prevent script execution.

Compliance Impact

The vulnerability is a stored DOM-based Cross-Site Scripting (XSS) issue that allows script execution in the admin dashboard when viewing recent orders with a malicious Order Status Name.

Such XSS vulnerabilities can lead to unauthorized script execution, potentially exposing sensitive administrative interfaces or data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Therefore, if exploited, this vulnerability could undermine compliance by enabling attackers to execute unauthorized scripts, possibly leading to data breaches or unauthorized access.

Mitigation by updating to patched versions (4.10.1 or 5.5.2) is necessary to maintain compliance and secure handling of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25482. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart