← Zuruck zu CVEs
CVE-2026-25483
MEDIUM5.4
Beschreibung
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.
CVE Details
CVSS v3.1 Bewertung5.4
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionREQUIRED
Veroffentlicht2/3/2026
Zuletzt geandert2/10/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
craftcms:craft_commerce
Schwachen (CWE)
CWE-79
Referenzen
https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c(security-advisories@github.com)
https://github.com/craftcms/commerce/releases/tag/4.10.1(security-advisories@github.com)
https://github.com/craftcms/commerce/releases/tag/5.5.2(security-advisories@github.com)
https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.