11 matches found
CVE-2026-25489
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Ta...
CVE-2026-25489
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Ta...
CVE-2026-25489
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Ta...
CVE-2026-25489 Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Ta...
CVE-2026-25489 Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Ta...
CVE-2026-25489
Craft Commerce (Craft CMS) has a stored XSS vulnerability in the Tax Zones Name and Description fields that can execute injected JavaScript in an administrator’s browser. Affected versions are 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1; the issue arises because sanitization is insufficient ...
CVE-2026-25489 Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Ta...
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Summary A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. Proof of Concept Requirments -...
Cross-site Scripting (XSS)
Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Name and Description fields in the tax zones configuration. An attacker can execute arbitrary JavaScript code in an administrator's browser by submitting crafted...
GHSA-V585-MF6R-RQRC Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Summary A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. Proof of Concept Requirments -...
PT-2026-5749
Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1 Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting XSS issue. The issue stems from insufficient...