XSS in Craftcms Commerce

CVE-2026-25486

Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shippi…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (5.6th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 5.0.0, < 5.5.2

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22 (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee (x_refsource_MISC)
https://github.com/craftcms/commerce/releases/tag/5.5.2 (x_refsource_MISC)