← Back to CVEs

CVE-2026-25483

MEDIUM

5.4

Description

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.

CVE Details

CVSS v3.1 Score5.4

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredLOW

User InteractionREQUIRED

Published2/3/2026

Last Modified2/10/2026

Sourcenvd

Honeypot Sightings0

Affected Products

craftcms:craft_commerce

Weaknesses (CWE)

CWE-79

References

https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c(security-advisories@github.com)

https://github.com/craftcms/commerce/releases/tag/4.10.1(security-advisories@github.com)

https://github.com/craftcms/commerce/releases/tag/5.5.2(security-advisories@github.com)

https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5(security-advisories@github.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.