CVE-2026-25490

EUVD-2026-5179

03.02.2026, 19:16

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
craftcms	craft_commerce	4.0.1 ≤ 𝑥 < 4.10.1
craftcms	craft_commerce	5.0.0 ≤ 𝑥 < 5.5.2
craftcms	craft_commerce	4.0.0
craftcms	craft_commerce	4.0.0:rc1

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee

https://github.com/craftcms/commerce/releases/tag/4.10.1

https://github.com/craftcms/commerce/releases/tag/5.5.2

https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf