CVE-2026-25483

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25483

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25483.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25483

Aliases

GHSA-8478-rmjg-mjj5

Published

2026-02-03T18:05:49.411Z

Modified

2026-03-01T02:57:23.596917Z

Severity

6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N CVSS Calculator

Summary

Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration

Details

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25483.json"
}

References

Affected packages

Git / github.com/craftcms/commerce

Affected ranges

Type

GIT

Repo

https://github.com/craftcms/commerce

Events

Introduced

23326a08ff4981c13423dcba2e5c1ca9f6afa02a

Fixed

dc3642f0cf0695b319bd1b7aade6d9f0cc9c4e55

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.10.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/craftcms/commerce

Events

Introduced

266ccfd800264c4a0a7c22447112c097b0af7bae

Fixed

fb12a9fde8927af50198ea5f190d20753a8510d5

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.5.2"
        }
    ]
}

Affected versions

3.*

3.4.15

3.4.16

3.4.17

3.4.17.1

3.4.17.2

3.4.18

3.4.19

3.4.20

3.4.20.1

3.4.21

3.4.22

3.4.22.1

3.4.23

3.4.23.1

4.*

4.0.0

4.0.0-RC1

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0

4.1.1

4.1.2

4.1.3

4.10.0

4.10.1

4.2.0

4.2.1

4.2.10

4.2.11

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.6

4.2.7

4.2.8

4.2.9

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.1.1

4.5.0

4.5.1

4.5.1.1

4.5.2

4.5.3

4.5.4

4.6.0

4.6.1

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.6.2

4.6.3.1

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.7.0

4.7.1

4.7.2

4.7.3

4.8.0

4.8.0.1

4.8.1

4.8.1.1

4.8.1.2

4.8.2

4.8.3

4.8.4

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

5.*

5.0.0

5.0.1

5.0.10

5.0.10.1

5.0.11

5.0.11.1

5.0.12

5.0.12.1

5.0.12.2

5.0.13

5.0.14

5.0.15

5.0.16

5.0.16.1

5.0.16.2

5.0.17

5.0.18

5.0.19

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.1.0

5.1.0-beta.1

5.1.0-beta.2

5.1.0-beta.3

5.1.0.1

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.10

5.2.11

5.2.12

5.2.12.1

5.2.2

5.2.2.1

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.9.1

5.3.0

5.3.0.1

5.3.0.2

5.3.1

5.3.10

5.3.11

5.3.12

5.3.13

5.3.2

5.3.2.1

5.3.2.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.4.0

5.4.1

5.4.1.1

5.4.10

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.5.0

5.5.0.1

5.5.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25483.json"