CVE-2026-25484
Stored XSS in Craft Commerce Product Type Names Affecting Permissions
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_commerce | From 4.0.1 (inc) to 4.10.1 (exc) |
| craftcms | craft_commerce | From 5.0.0 (inc) to 5.5.2 (exc) |
| craftcms | craft_commerce | 4.0.0 |
| craftcms | craft_commerce | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows an attacker with administrative access to inject malicious scripts via Product Type names in the Craft Commerce platform. This could potentially lead to unauthorized script execution in the user permissions interface.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, stored XSS vulnerabilities can pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
If exploited, this vulnerability could lead to unauthorized access or manipulation of user interface elements, potentially exposing sensitive information or enabling further attacks, which may impact compliance with data protection regulations.
Mitigation by upgrading to patched versions (4.10.1 and 5.5.2) is necessary to reduce the risk and maintain compliance with security best practices required by such standards.
Can you explain this vulnerability to me?
CVE-2026-25484 is a stored Cross-Site Scripting (XSS) vulnerability in the Craft Commerce platform for Craft CMS. It occurs because Product Type names are not properly sanitized when displayed in the CMS user permissions settings. An attacker with administrative access can create or edit a Product Type and insert malicious code into its name. This malicious code then executes when the user permissions page is viewed, leading to potential script execution in the browser.
The vulnerability arises from the fact that the Product Type name input is not escaped or sanitized before being rendered as checkboxes in the user permissions interface, allowing embedded scripts to run.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with admin permissions to execute arbitrary scripts in the context of the CMS user permissions page. This could lead to unauthorized actions such as stealing session tokens, performing actions on behalf of other users, or defacing the admin interface.
However, exploitation requires administrative access to the Commerce settings to inject the malicious Product Type name, which limits the attack surface to trusted users or compromised admin accounts.
The severity is considered low, but it still poses a risk of cross-site scripting attacks within the administrative interface.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Craft Commerce installation is running a vulnerable version (from 4.0.0-RC1 to 4.10.0 or from 5.0.0 to 5.5.1) and by inspecting Product Type names for malicious scripts.'}, {'type': 'paragraph', 'content': 'Since the exploit involves stored XSS in Product Type names rendered in the CMS user permissions settings, you can detect it by reviewing Product Type names for suspicious HTML or JavaScript payloads such as <img src=x onerror="alert(\'XSS-ProductType\')" hidden>.'}, {'type': 'paragraph', 'content': 'There are no specific network commands provided in the resources, but you can use the following approach to detect the vulnerability:'}, {'type': 'list_item', 'content': 'Check the installed Craft Commerce version via your system or application interface to confirm if it falls within the vulnerable ranges.'}, {'type': 'list_item', 'content': 'Manually inspect Product Type names in the Commerce settings for suspicious or unexpected HTML/JavaScript content.'}, {'type': 'list_item', 'content': 'Access the CMS user permissions page and observe if any alert or unexpected script execution occurs when Product Type checkboxes are rendered.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Craft Commerce to a patched version.
- Upgrade to version 4.10.1 or later if you are on the 4.x branch.
- Upgrade to version 5.5.2 or later if you are on the 5.x branch.
These versions include a fix that properly escapes Product Type names when rendered in the user permissions settings, preventing the stored XSS vulnerability.
Additionally, restrict administrative access to Commerce settings to trusted users only, as exploitation requires admin privileges to inject malicious Product Type names.