← Voltar para CVEs

CVE-2026-25482

MEDIUM

4.8

Descricao

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.

Detalhes CVE

Pontuacao CVSS v3.14.8

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosHIGH

Interacao do usuarioREQUIRED

Publicado2/3/2026

Ultima modificacao2/10/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

craftcms:craft_commerce

Fraquezas (CWE)

CWE-79

Referencias

https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65(security-advisories@github.com)

https://github.com/craftcms/commerce/releases/tag/4.10.1(security-advisories@github.com)

https://github.com/craftcms/commerce/releases/tag/5.5.2(security-advisories@github.com)

https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.