CVE-2026-25489: Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
(updated )
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel.
References
- github.com/advisories/GHSA-v585-mf6r-rqrc
- github.com/craftcms/commerce
- github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
- github.com/craftcms/commerce/releases/tag/4.10.1
- github.com/craftcms/commerce/releases/tag/5.5.2
- github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc
- nvd.nist.gov/vuln/detail/CVE-2026-25489
Code Behaviors & Features
Detect and mitigate CVE-2026-25489 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →