CVE-2026-25485: Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation
(updated )
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.
References
- github.com/advisories/GHSA-w8gw-qm8p-j9j3
- github.com/craftcms/commerce
- github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
- github.com/craftcms/commerce/releases/tag/4.10.1
- github.com/craftcms/commerce/releases/tag/5.5.2
- github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3
- nvd.nist.gov/vuln/detail/CVE-2026-25485
Code Behaviors & Features
Detect and mitigate CVE-2026-25485 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →