GHSA-frj9-9rwc-pw9j

Source

https://github.com/advisories/GHSA-frj9-9rwc-pw9j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-frj9-9rwc-pw9j/GHSA-frj9-9rwc-pw9j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-frj9-9rwc-pw9j

Aliases

CVE-2026-25482

Published

2026-02-02T22:41:44Z

Modified

2026-02-03T21:50:01.970152Z

Severity

6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)

Details

Summary

A stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard.

Users are recommended to update to the patched 5.5.2 release to mitigate the issue.

Proof of Concept

Required Permissions

Admin access (to edit/create Order Statuses)

Steps to Reproduce

Log in with an admin account
Navigate to Commerce → Settings → Order Statuses
Create new order status (e.g., "Pending")

Set the Name field to:

<img src=x onerror="alert('Order Statuses XSS')" hidden>

Save the order status
Go to Commerce Orders & make some orders with different statuses (e.g. "New" & "the malicious created status")
Go to the Dashboard (/admin/dashboard) & Add "Recent Orders" widget and pick the same 2 statuses for orders
Notice the XSS execution <img width="1491" height="568" alt="xss-execution-in-dashboard" src="https://github.com/user-attachments/assets/84e8b121-30b9-4029-93be-e90009b6897e" />

Technical Details

File: vendor/craftcms/commerce/src/templates/_components/widgets/orders/recent/body.twig

Root Cause: value.name (the Order Status Name) is concatenated directly into the HTML string without sanitization. When JavaScript inserts this HTML into the DOM, any malicious tags/scripts in the name are executed.<img width="1780" height="858" alt="vulnerable-code" src="https://github.com/user-attachments/assets/b150ee9d-c072-4987-b506-81a29c23d84b" />

Mitigation

Use Craft.escapeHtml() in the callback:

callback: function(value) {
    return '<span class="commerceStatusLabel"><span class="status ' + Craft.escapeHtml(value.color) + '"></span>' + Craft.escapeHtml(value.name) + '</span>';
}

Resources:

https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T22:41:44Z",
    "severity": "MODERATE",
    "nvd_published_at": "2026-02-03T19:16:25Z",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / craftcms/commerce

Package

Name: craftcms/commerce
Purl: pkg:composer/craftcms/commerce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.5.2

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.10.1

5.0.11

5.0.11.1

5.0.12

5.0.12.1

5.0.12.2

5.0.13

5.0.14

5.0.15

5.0.16

5.0.16.1

5.0.16.2

5.0.17

5.0.18

5.0.19

5.1.0-beta.1

5.1.0-beta.2

5.1.0-beta.3

5.1.0

5.1.0.1

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.2

5.2.2.1

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.9.1

5.2.10

5.2.11

5.2.12

5.2.12.1

5.3.0

5.3.0.1

5.3.0.2

5.3.1

5.3.2

5.3.2.1

5.3.2.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.13

5.4.0

5.4.1

5.4.1.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.4.10

5.5.0

5.5.0.1

5.5.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-frj9-9rwc-pw9j/GHSA-frj9-9rwc-pw9j.json"

last_known_affected_version_range

"<= 5.5.1"

Packagist / craftcms/commerce

Package

Name: craftcms/commerce
Purl: pkg:composer/craftcms/commerce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-RC1

Fixed

4.10.1

Affected versions

4.*

4.0.0-RC1

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.2.11

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.1.1

4.5.0

4.5.1

4.5.1.1

4.5.2

4.5.3

4.5.4

4.6.0

4.6.1

4.6.2

4.6.3.1

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.7.0

4.7.1

4.7.2

4.7.3

4.8.0

4.8.0.1

4.8.1

4.8.1.1

4.8.1.2

4.8.2

4.8.3

4.8.4

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.10.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-frj9-9rwc-pw9j/GHSA-frj9-9rwc-pw9j.json"

last_known_affected_version_range

"<= 4.10.0"