CVE-2026-25490: Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation

February 2, 2026 (updated February 3, 2026)

A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the ‘Address Line 1’ field in Inventory Locations is not properly sanitized before being displayed in the admin panel.

References

github.com/advisories/GHSA-wq2m-r96q-crrf
github.com/craftcms/commerce
github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
github.com/craftcms/commerce/releases/tag/4.10.1
github.com/craftcms/commerce/releases/tag/5.5.2
github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf
nvd.nist.gov/vuln/detail/CVE-2026-25490

Code Behaviors & Features

Detect and mitigate CVE-2026-25490 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →