GHSA-p6w8-q63m-72c8

Source

https://github.com/advisories/GHSA-p6w8-q63m-72c8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-p6w8-q63m-72c8/GHSA-p6w8-q63m-72c8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p6w8-q63m-72c8

Aliases

CVE-2026-25488

Published

2026-02-02T22:51:51Z

Modified

2026-02-03T21:51:15.391273Z

Severity

6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N CVSS Calculator

Summary

Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Details

Summary

A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.

Proof of Concept

Requirments

General permissions:
- Access the control panel
- Access Craft Commerce
Craft Commerce permissions:
- Manage store settings
- Manage taxes
An active administrator elevated session

Steps to Reproduce

Log in to the Admin Panel with the attacker account with the permissions mentioned above.
Navigate to Commerce -> Store Management -> Tax Categories (/admin/commerce/store-management/primary/taxcategories).
Create a new tax category.
In the Name or Description field, enter the following payload:
```
<img src=x onerror="alert(document.domain)">
```
Click Save and you'll be redirected back to the previous page.
Notice the alert proving JavaScript execution.

Privilege Escalation to Administrator:

Do the same steps above, but replace the payload with a malicious one.

The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the <UserID> with your attacker id:

<img src=x onerror="fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})">

In another browser, log in as an admin & go to the vulnerable page (tax categories page).
Go back to your attacker account & notice you are now an admin.

The privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack.

Or even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it’s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.

References:

https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee

Database specific

{
    "github_reviewed_at": "2026-02-02T22:51:51Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2026-02-03T19:16:26Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / craftcms/commerce

Package

Name: craftcms/commerce
Purl: pkg:composer/craftcms/commerce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-RC1

Fixed

5.5.2

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.10.1

5.0.11

5.0.11.1

5.0.12

5.0.12.1

5.0.12.2

5.0.13

5.0.14

5.0.15

5.0.16

5.0.16.1

5.0.16.2

5.0.17

5.0.18

5.0.19

5.1.0-beta.1

5.1.0-beta.2

5.1.0-beta.3

5.1.0

5.1.0.1

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.2

5.2.2.1

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.9.1

5.2.10

5.2.11

5.2.12

5.2.12.1

5.3.0

5.3.0.1

5.3.0.2

5.3.1

5.3.2

5.3.2.1

5.3.2.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.13

5.4.0

5.4.1

5.4.1.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.4.10

5.5.0

5.5.0.1

5.5.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-p6w8-q63m-72c8/GHSA-p6w8-q63m-72c8.json"

last_known_affected_version_range

"<= 5.5.1"

Packagist / craftcms/commerce

Package

Name: craftcms/commerce
Purl: pkg:composer/craftcms/commerce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-RC1

Fixed

4.10.1

Affected versions

4.*

4.0.0-RC1

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.2.11

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.1.1

4.5.0

4.5.1

4.5.1.1

4.5.2

4.5.3

4.5.4

4.6.0

4.6.1

4.6.2

4.6.3.1

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.7.0

4.7.1

4.7.2

4.7.3

4.8.0

4.8.0.1

4.8.1

4.8.1.1

4.8.1.2

4.8.2

4.8.3

4.8.4

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.10.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-p6w8-q63m-72c8/GHSA-p6w8-q63m-72c8.json"

last_known_affected_version_range

"<= 4.10.0"