XSS in Craftcms Commerce

CVE-2026-25484

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The v…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (3.9th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 4.0.0-RC1, < 4.10.1, >= 5.0.0, < 5.5.2

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c (x_refsource_MISC)
https://github.com/craftcms/commerce/releases/tag/4.10.1 (x_refsource_MISC)
https://github.com/craftcms/commerce/releases/tag/5.5.2 (x_refsource_MISC)