CVE-2026-25487

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25487

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25487.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25487

Aliases

GHSA-wqc5-485v-3hqh

Published

2026-02-03T18:07:12.401Z

Modified

2026-03-01T02:57:23.259386Z

Severity

6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N CVSS Calculator

Summary

Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Details

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25487.json"
}

References

Affected packages

Git / github.com/craftcms/commerce

Affected ranges

Type

GIT

Repo

https://github.com/craftcms/commerce

Events

Introduced

23326a08ff4981c13423dcba2e5c1ca9f6afa02a

Fixed

dc3642f0cf0695b319bd1b7aade6d9f0cc9c4e55

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.10.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/craftcms/commerce

Events

Introduced

266ccfd800264c4a0a7c22447112c097b0af7bae

Fixed

fb12a9fde8927af50198ea5f190d20753a8510d5

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.5.2"
        }
    ]
}

Affected versions

3.*

3.4.15

3.4.16

3.4.17

3.4.17.1

3.4.17.2

3.4.18

3.4.19

3.4.20

3.4.20.1

3.4.21

3.4.22

3.4.22.1

3.4.23

3.4.23.1

4.*

4.0.0

4.0.0-RC1

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0

4.1.1

4.1.2

4.1.3

4.10.0

4.10.1

4.2.0

4.2.1

4.2.10

4.2.11

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.6

4.2.7

4.2.8

4.2.9

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.1.1

4.5.0

4.5.1

4.5.1.1

4.5.2

4.5.3

4.5.4

4.6.0

4.6.1

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.6.2

4.6.3.1

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.7.0

4.7.1

4.7.2

4.7.3

4.8.0

4.8.0.1

4.8.1

4.8.1.1

4.8.1.2

4.8.2

4.8.3

4.8.4

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

5.*

5.0.0

5.0.1

5.0.10

5.0.10.1

5.0.11

5.0.11.1

5.0.12

5.0.12.1

5.0.12.2

5.0.13

5.0.14

5.0.15

5.0.16

5.0.16.1

5.0.16.2

5.0.17

5.0.18

5.0.19

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.1.0

5.1.0-beta.1

5.1.0-beta.2

5.1.0-beta.3

5.1.0.1

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.10

5.2.11

5.2.12

5.2.12.1

5.2.2

5.2.2.1

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.9.1

5.3.0

5.3.0.1

5.3.0.2

5.3.1

5.3.10

5.3.11

5.3.12

5.3.13

5.3.2

5.3.2.1

5.3.2.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.4.0

5.4.1

5.4.1.1

5.4.10

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.5.0

5.5.0.1

5.5.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25487.json"