CVE-2026-25488: Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
(updated )
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.
References
- github.com/advisories/GHSA-p6w8-q63m-72c8
- github.com/craftcms/commerce
- github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
- github.com/craftcms/commerce/releases/tag/4.10.1
- github.com/craftcms/commerce/releases/tag/5.5.2
- github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8
- nvd.nist.gov/vuln/detail/CVE-2026-25488
Code Behaviors & Features
Detect and mitigate CVE-2026-25488 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →