← Voltar para CVEs

CVE-2026-25483

MEDIUM

5.4

Descricao

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.

Detalhes CVE

Pontuacao CVSS v3.15.4

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosLOW

Interacao do usuarioREQUIRED

Publicado2/3/2026

Ultima modificacao2/10/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

craftcms:craft_commerce

Fraquezas (CWE)

CWE-79

Referencias

https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c(security-advisories@github.com)

https://github.com/craftcms/commerce/releases/tag/4.10.1(security-advisories@github.com)

https://github.com/craftcms/commerce/releases/tag/5.5.2(security-advisories@github.com)

https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.