CVE-2026-25490

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25490

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25490.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25490

Aliases

GHSA-wq2m-r96q-crrf

Published

2026-02-03T18:09:33.290Z

Modified

2026-03-01T02:57:24.650399Z

Severity

6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N CVSS Calculator

Summary

Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation

Details

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25490.json"
}

References

Affected packages

Git / github.com/craftcms/commerce

Affected ranges

Type

GIT

Repo

https://github.com/craftcms/commerce

Events

Introduced

23326a08ff4981c13423dcba2e5c1ca9f6afa02a

Fixed

dc3642f0cf0695b319bd1b7aade6d9f0cc9c4e55

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.10.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/craftcms/commerce

Events

Introduced

266ccfd800264c4a0a7c22447112c097b0af7bae

Fixed

fb12a9fde8927af50198ea5f190d20753a8510d5

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.5.2"
        }
    ]
}

Affected versions

3.*

3.4.15

3.4.16

3.4.17

3.4.17.1

3.4.17.2

3.4.18

3.4.19

3.4.20

3.4.20.1

3.4.21

3.4.22

3.4.22.1

3.4.23

3.4.23.1

4.*

4.0.0

4.0.0-RC1

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0

4.1.1

4.1.2

4.1.3

4.10.0

4.10.1

4.2.0

4.2.1

4.2.10

4.2.11

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.6

4.2.7

4.2.8

4.2.9

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.1.1

4.5.0

4.5.1

4.5.1.1

4.5.2

4.5.3

4.5.4

4.6.0

4.6.1

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.6.2

4.6.3.1

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.7.0

4.7.1

4.7.2

4.7.3

4.8.0

4.8.0.1

4.8.1

4.8.1.1

4.8.1.2

4.8.2

4.8.3

4.8.4

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

5.*

5.0.0

5.0.1

5.0.10

5.0.10.1

5.0.11

5.0.11.1

5.0.12

5.0.12.1

5.0.12.2

5.0.13

5.0.14

5.0.15

5.0.16

5.0.16.1

5.0.16.2

5.0.17

5.0.18

5.0.19

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.1.0

5.1.0-beta.1

5.1.0-beta.2

5.1.0-beta.3

5.1.0.1

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.10

5.2.11

5.2.12

5.2.12.1

5.2.2

5.2.2.1

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.9.1

5.3.0

5.3.0.1

5.3.0.2

5.3.1

5.3.10

5.3.11

5.3.12

5.3.13

5.3.2

5.3.2.1

5.3.2.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.4.0

5.4.1

5.4.1.1

5.4.10

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.5.0

5.5.0.1

5.5.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25490.json"