CVE-2026-25484
Unknown Unknown - Not Provided
Stored XSS in Craft Commerce Product Type Names Affecting Permissions

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25484
EUVD
EUVD-2026-5208
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
craftcms craft_commerce From 4.0.1 (inc) to 4.10.1 (exc)
craftcms craft_commerce From 5.0.0 (inc) to 5.5.2 (exc)
craftcms craft_commerce 4.0.0
craftcms craft_commerce 4.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25484 is a stored Cross-Site Scripting (XSS) vulnerability in the Craft Commerce platform for Craft CMS. It occurs because Product Type names are not properly sanitized when displayed in the CMS user permissions settings. An attacker with administrative access can create or edit a Product Type and insert malicious code into its name. This malicious code then executes when the user permissions page is viewed, leading to potential script execution in the browser.

The vulnerability arises from the fact that the Product Type name input is not escaped or sanitized before being rendered as checkboxes in the user permissions interface, allowing embedded scripts to run.

Impact Analysis

This vulnerability can allow an attacker with admin permissions to execute arbitrary scripts in the context of the CMS user permissions page. This could lead to unauthorized actions such as stealing session tokens, performing actions on behalf of other users, or defacing the admin interface.

However, exploitation requires administrative access to the Commerce settings to inject the malicious Product Type name, which limits the attack surface to trusted users or compromised admin accounts.

The severity is considered low, but it still poses a risk of cross-site scripting attacks within the administrative interface.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Craft Commerce installation is running a vulnerable version (from 4.0.0-RC1 to 4.10.0 or from 5.0.0 to 5.5.1) and by inspecting Product Type names for malicious scripts.'}, {'type': 'paragraph', 'content': 'Since the exploit involves stored XSS in Product Type names rendered in the CMS user permissions settings, you can detect it by reviewing Product Type names for suspicious HTML or JavaScript payloads such as <img src=x onerror="alert(\'XSS-ProductType\')" hidden>.'}, {'type': 'paragraph', 'content': 'There are no specific network commands provided in the resources, but you can use the following approach to detect the vulnerability:'}, {'type': 'list_item', 'content': 'Check the installed Craft Commerce version via your system or application interface to confirm if it falls within the vulnerable ranges.'}, {'type': 'list_item', 'content': 'Manually inspect Product Type names in the Commerce settings for suspicious or unexpected HTML/JavaScript content.'}, {'type': 'list_item', 'content': 'Access the CMS user permissions page and observe if any alert or unexpected script execution occurs when Product Type checkboxes are rendered.'}] [2]

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Craft Commerce to a patched version.

  • Upgrade to version 4.10.1 or later if you are on the 4.x branch.
  • Upgrade to version 5.5.2 or later if you are on the 5.x branch.

These versions include a fix that properly escapes Product Type names when rendered in the user permissions settings, preventing the stored XSS vulnerability.

Additionally, restrict administrative access to Commerce settings to trusted users only, as exploitation requires admin privileges to inject malicious Product Type names.

Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows an attacker with administrative access to inject malicious scripts via Product Type names in the Craft Commerce platform. This could potentially lead to unauthorized script execution in the user permissions interface.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, stored XSS vulnerabilities can pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

If exploited, this vulnerability could lead to unauthorized access or manipulation of user interface elements, potentially exposing sensitive information or enabling further attacks, which may impact compliance with data protection regulations.

Mitigation by upgrading to patched versions (4.10.1 and 5.5.2) is necessary to reduce the risk and maintain compliance with security best practices required by such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25484. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart