CVE-2026-25522 in Craft
Summary
by MITRE • 02/03/2026
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/18/2026
This vulnerability affects Craft Commerce, a popular ecommerce platform built for Craft CMS, where attackers can exploit a stored cross-site scripting flaw in the administrator interface. The vulnerability exists in versions ranging from 4.0.0-RC1 through 4.10.0 and from 5.0.0 through 5.5.1, creating a significant security risk for users of these specific releases. The flaw manifests in the Shipping Zone management functionality where both Name and Description fields are susceptible to malicious input injection.
The technical implementation of this vulnerability stems from inadequate input sanitization within the administrative dashboard. When administrators view shipping zone information in the store management section, the system fails to properly escape or filter user-supplied content from the Name and Description fields. This allows attackers to inject malicious JavaScript code that persists in the database and executes whenever the affected admin panel page is loaded. The vulnerability represents a classic stored XSS flaw where malicious payloads are stored server-side and executed client-side when legitimate users access the affected interface.
The operational impact of this vulnerability is substantial as it provides attackers with the ability to compromise administrator sessions and potentially gain full control over the ecommerce platform. An attacker who successfully exploits this vulnerability could execute arbitrary JavaScript code in the context of the administrator's browser, potentially leading to session hijacking, data exfiltration, or privilege escalation. The attack vector is particularly concerning because it targets the administrative interface, which typically has elevated privileges and access to sensitive platform configurations and customer data.
Security professionals should note that this vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications. The issue also maps to ATT&CK technique T1566.001 for initial access through malicious content and T1071.001 for application layer protocol usage. Organizations using affected versions of Craft Commerce should immediately upgrade to patched versions 4.10.1 and 5.5.2 to remediate this vulnerability. Additional mitigations include implementing strict input validation for all user-supplied content in administrative interfaces, employing content security policies, and conducting regular security audits of web application inputs and outputs. The vulnerability demonstrates the critical importance of sanitizing all user-facing fields in administrative panels where privileged users will view potentially malicious content.