CVE-2026-25484

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25484
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25484.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25484
Aliases
Published
2026-02-03T18:06:36.706Z
Modified
2026-03-01T02:57:23.221472Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Craft Commerce has Stored XSS in Product Type Name
Details

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25484.json"
}
References

Affected packages

Git / github.com/craftcms/commerce

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/commerce
Events
Introduced
23326a08ff4981c13423dcba2e5c1ca9f6afa02a
Fixed
dc3642f0cf0695b319bd1b7aade6d9f0cc9c4e55
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.10.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/craftcms/commerce
Events
Introduced
266ccfd800264c4a0a7c22447112c097b0af7bae
Fixed
fb12a9fde8927af50198ea5f190d20753a8510d5
Database specific 
{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.5.2"
        }
    ]
}

Affected versions

3.*
3.4.15
3.4.16
3.4.17
3.4.17.1
3.4.17.2
3.4.18
3.4.19
3.4.20
3.4.20.1
3.4.21
3.4.22
3.4.22.1
3.4.23
3.4.23.1
4.*
4.0.0
4.0.0-RC1
4.0.1
4.0.2
4.0.3
4.0.4
4.1.0
4.1.1
4.1.2
4.1.3
4.10.0
4.10.1
4.2.0
4.2.1
4.2.10
4.2.11
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.6
4.2.7
4.2.8
4.2.9
4.3.0
4.3.1
4.3.2
4.3.3
4.4.0
4.4.1
4.4.1.1
4.5.0
4.5.1
4.5.1.1
4.5.2
4.5.3
4.5.4
4.6.0
4.6.1
4.6.10
4.6.11
4.6.12
4.6.13
4.6.14
4.6.2
4.6.3.1
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.6.9
4.7.0
4.7.1
4.7.2
4.7.3
4.8.0
4.8.0.1
4.8.1
4.8.1.1
4.8.1.2
4.8.2
4.8.3
4.8.4
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
5.*
5.0.0
5.0.1
5.0.10
5.0.10.1
5.0.11
5.0.11.1
5.0.12
5.0.12.1
5.0.12.2
5.0.13
5.0.14
5.0.15
5.0.16
5.0.16.1
5.0.16.2
5.0.17
5.0.18
5.0.19
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.1.0
5.1.0-beta.1
5.1.0-beta.2
5.1.0-beta.3
5.1.0.1
5.1.1
5.1.2
5.1.3
5.1.4
5.2.0
5.2.1
5.2.10
5.2.11
5.2.12
5.2.12.1
5.2.2
5.2.2.1
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.9.1
5.3.0
5.3.0.1
5.3.0.2
5.3.1
5.3.10
5.3.11
5.3.12
5.3.13
5.3.2
5.3.2.1
5.3.2.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.4.0
5.4.1
5.4.1.1
5.4.10
5.4.2
5.4.3
5.4.4
5.4.5
5.4.5.1
5.4.6
5.4.7
5.4.7.1
5.4.8
5.4.9
5.5.0
5.5.0.1
5.5.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25484.json"