6.2

CVE-2026-25482

Exploit

Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CraftcmsCraft Commerce SwPlatformcraft_cms Version >= 4.0.1 < 4.10.1
CraftcmsCraft Commerce SwPlatformcraft_cms Version >= 5.0.0 < 5.5.2
CraftcmsCraft Commerce Version4.0.0 Update- SwPlatformcraft_cms
CraftcmsCraft Commerce Version4.0.0 Updaterc1 SwPlatformcraft_cms
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.3% 0.218
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.8 1.7 2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 6.2 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j
Vendor Advisory
Exploit
https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65
Patch
https://github.com/craftcms/commerce/releases/tag/4.10.1
Release Notes
https://github.com/craftcms/commerce/releases/tag/5.5.2
Release Notes