CVE-2026-25482: Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
(updated )
A stored DOM XSS vulnerability exists in the “Recent Orders” dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard.
Users are recommended to update to the patched 5.5.2 release to mitigate the issue.
References
- github.com/advisories/GHSA-frj9-9rwc-pw9j
- github.com/craftcms/commerce
- github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65
- github.com/craftcms/commerce/releases/tag/4.10.1
- github.com/craftcms/commerce/releases/tag/5.5.2
- github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j
- nvd.nist.gov/vuln/detail/CVE-2026-25482
Code Behaviors & Features
Detect and mitigate CVE-2026-25482 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →