CVE-2026-25522

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25522
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25522.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25522
Aliases
Published
2026-02-03T18:10:33.911Z
Modified
2026-03-01T02:57:29.420228Z
Severity
  • 6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N CVSS Calculator
Summary
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
Details

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25522.json"
}
References

Affected packages

Git / github.com/craftcms/commerce

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/commerce
Events
Introduced
23326a08ff4981c13423dcba2e5c1ca9f6afa02a
Fixed
dc3642f0cf0695b319bd1b7aade6d9f0cc9c4e55
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.10.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/craftcms/commerce
Events
Introduced
266ccfd800264c4a0a7c22447112c097b0af7bae
Fixed
fb12a9fde8927af50198ea5f190d20753a8510d5
Database specific 
{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.5.2"
        }
    ]
}

Affected versions

3.*
3.4.15
3.4.16
3.4.17
3.4.17.1
3.4.17.2
3.4.18
3.4.19
3.4.20
3.4.20.1
3.4.21
3.4.22
3.4.22.1
3.4.23
3.4.23.1
4.*
4.0.0
4.0.0-RC1
4.0.1
4.0.2
4.0.3
4.0.4
4.1.0
4.1.1
4.1.2
4.1.3
4.10.0
4.10.1
4.2.0
4.2.1
4.2.10
4.2.11
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.6
4.2.7
4.2.8
4.2.9
4.3.0
4.3.1
4.3.2
4.3.3
4.4.0
4.4.1
4.4.1.1
4.5.0
4.5.1
4.5.1.1
4.5.2
4.5.3
4.5.4
4.6.0
4.6.1
4.6.10
4.6.11
4.6.12
4.6.13
4.6.14
4.6.2
4.6.3.1
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.6.9
4.7.0
4.7.1
4.7.2
4.7.3
4.8.0
4.8.0.1
4.8.1
4.8.1.1
4.8.1.2
4.8.2
4.8.3
4.8.4
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
5.*
5.0.0
5.0.1
5.0.10
5.0.10.1
5.0.11
5.0.11.1
5.0.12
5.0.12.1
5.0.12.2
5.0.13
5.0.14
5.0.15
5.0.16
5.0.16.1
5.0.16.2
5.0.17
5.0.18
5.0.19
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.1.0
5.1.0-beta.1
5.1.0-beta.2
5.1.0-beta.3
5.1.0.1
5.1.1
5.1.2
5.1.3
5.1.4
5.2.0
5.2.1
5.2.10
5.2.11
5.2.12
5.2.12.1
5.2.2
5.2.2.1
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.9.1
5.3.0
5.3.0.1
5.3.0.2
5.3.1
5.3.10
5.3.11
5.3.12
5.3.13
5.3.2
5.3.2.1
5.3.2.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.4.0
5.4.1
5.4.1.1
5.4.10
5.4.2
5.4.3
5.4.4
5.4.5
5.4.5.1
5.4.6
5.4.7
5.4.7.1
5.4.8
5.4.9
5.5.0
5.5.0.1
5.5.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25522.json"