CVE-2026-25522 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2026-25522?

CVE-2026-25522 has a CVSS score of 4.8 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in Craft Commerce allows attackers to inject malicious JavaScript into Shipping Zone fields. When administrators view these fields in the admin panel, the malicious code executes in their browsers. This affects Craft Commerce versions 4.0.0-RC1 through 4.10.0 and versions 5.0.0 through 5.5.1.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in Craft Commerce allows attackers to inject malicious JavaScript into Shipping Zone fields. When administrators view these fields in the admin panel, the malicious code executes in their browsers. This affects Craft Commerce versions 4.0.0-RC1 through 4.10.0 and versions 5.0.0 through 5.5.1.

💻 Affected Systems

Products:

Craft Commerce

Versions: 4.0.0-RC1 to 4.10.0 and 5.0.0 to 5.5.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Craft Commerce when used with Craft CMS. Requires attacker access to modify shipping zones (typically admin or privileged user).

📦 What is this software?

Craft Commerce by Craftcms

View all CVEs affecting Craft Commerce →

Craft Commerce by Craftcms

View all CVEs affecting Craft Commerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could hijack administrator sessions, steal credentials, perform administrative actions on behalf of the admin, or pivot to deeper system compromise.

🟠

Likely Case

Attackers with access to create/modify shipping zones could execute JavaScript in admin browsers, potentially stealing session cookies or performing limited administrative actions.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payload would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to modify shipping zones. The vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.10.1 or 5.5.2

Vendor Advisory: https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m

Restart Required: No

Instructions:

1. Identify your Craft Commerce version. 2. If using version 4.x, upgrade to 4.10.1 or later. 3. If using version 5.x, upgrade to 5.5.2 or later. 4. Update via Composer: composer update craftcms/commerce. 5. Clear caches if necessary.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom validation to sanitize Shipping Zone Name and Description fields before storage

Implement server-side validation to strip/escape HTML/JavaScript from shipping zone fields

🧯 If You Can't Patch

Restrict access to shipping zone management to only essential administrators
Implement Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check Craft Commerce version in admin panel or via composer show craftcms/commerce

Check Version:

composer show craftcms/commerce | grep versions

Verify Fix Applied:

Verify version is 4.10.1+ or 5.5.2+ and test that HTML/JavaScript in shipping zone fields displays as text not executable code

📡 Detection & Monitoring

Log Indicators:

Unusual shipping zone modifications
Administrator account performing unexpected actions

Network Indicators:

Suspicious outbound connections from admin panel sessions

SIEM Query:

Search for shipping zone creation/modification events followed by unusual admin activity

📊 Metadata

CVE ID: CVE-2026-25522

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (3.9th percentile)

Published: February 3, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee Patch
https://github.com/craftcms/commerce/releases/tag/4.10.1 Product,Release Notes
https://github.com/craftcms/commerce/releases/tag/5.5.2 Product,Release Notes
https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m Exploit,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25522, you might also want to check these: