XSS in Craftcms Commerce
CVE-2026-25483
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.000 (3.0th percentile) — read the EPSS interpretation.
Affected products
- Craftcms Commerce — versions >= 4.0.0-RC1, < 4.10.1, >= 5.0.0, < 5.5.2
Weakness classification (CWE)
References
- https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 (x_refsource_CONFIRM)
- https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c (x_refsource_MISC)
- https://github.com/craftcms/commerce/releases/tag/4.10.1 (x_refsource_MISC)
- https://github.com/craftcms/commerce/releases/tag/5.5.2 (x_refsource_MISC)