CVE-2026-25486: Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation

February 2, 2026 (updated February 3, 2026)

A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel.

References

github.com/advisories/GHSA-g92v-wpv7-6w22
github.com/craftcms/commerce
github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
github.com/craftcms/commerce/releases/tag/5.5.2
github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
nvd.nist.gov/vuln/detail/CVE-2026-25486

Code Behaviors & Features

Detect and mitigate CVE-2026-25486 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →