CVE-2026-25489

Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

Description

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

INFO

Published Date :

2026-02-03T18:07:40.168Z

Last Modified :

2026-02-03T20:34:09.676Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-25489 vulnerability.

Vendors	Products
Craftcms	Commerce Craft Commerce

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25489.

URL	Resource
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact