CVE-2026-25482

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25482

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25482.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25482

Aliases

GHSA-frj9-9rwc-pw9j

Published

2026-02-03T18:05:09.783Z

Modified

2026-03-01T02:57:23.327185Z

Severity

6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)

Details

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25482.json"
}

References

Affected packages

Git / github.com/craftcms/commerce

Affected ranges

Type

GIT

Repo

https://github.com/craftcms/commerce

Events

Introduced

266ccfd800264c4a0a7c22447112c097b0af7bae

Fixed

fb12a9fde8927af50198ea5f190d20753a8510d5

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.5.2"
        }
    ]
}

Type

GIT

Repo

https://github.com/craftcms/commerce

Events

Introduced

23326a08ff4981c13423dcba2e5c1ca9f6afa02a

Fixed

dc3642f0cf0695b319bd1b7aade6d9f0cc9c4e55

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.10.1"
        }
    ]
}

Affected versions

3.*

3.4.15

3.4.16

3.4.17

3.4.17.1

3.4.17.2

3.4.18

3.4.19

3.4.20

3.4.20.1

3.4.21

3.4.22

3.4.22.1

3.4.23

3.4.23.1

4.*

4.0.0

4.0.0-RC1

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0

4.1.1

4.1.2

4.1.3

4.10.0

4.10.1

4.2.0

4.2.1

4.2.10

4.2.11

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.6

4.2.7

4.2.8

4.2.9

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.1.1

4.5.0

4.5.1

4.5.1.1

4.5.2

4.5.3

4.5.4

4.6.0

4.6.1

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.6.2

4.6.3.1

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.7.0

4.7.1

4.7.2

4.7.3

4.8.0

4.8.0.1

4.8.1

4.8.1.1

4.8.1.2

4.8.2

4.8.3

4.8.4

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

5.*

5.0.0

5.0.1

5.0.10

5.0.10.1

5.0.11

5.0.11.1

5.0.12

5.0.12.1

5.0.12.2

5.0.13

5.0.14

5.0.15

5.0.16

5.0.16.1

5.0.16.2

5.0.17

5.0.18

5.0.19

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.1.0

5.1.0-beta.1

5.1.0-beta.2

5.1.0-beta.3

5.1.0.1

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.10

5.2.11

5.2.12

5.2.12.1

5.2.2

5.2.2.1

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.9.1

5.3.0

5.3.0.1

5.3.0.2

5.3.1

5.3.10

5.3.11

5.3.12

5.3.13

5.3.2

5.3.2.1

5.3.2.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.4.0

5.4.1

5.4.1.1

5.4.10

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.5.0

5.5.0.1

5.5.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25482.json"