CVE-2026-25489: Craft Commerce Stored XSS Vulnerability

CVE-2026-25489 Overview

CVE-2026-25489 is a stored Cross-Site Scripting (XSS) vulnerability affecting Craft Commerce, the ecommerce platform for Craft CMS. This vulnerability allows attackers to execute malicious JavaScript code in an administrator's browser by exploiting improper sanitization of the Name and Description fields within Tax Zones functionality in the admin panel.

Critical Impact

Attackers with access to Tax Zone configuration can inject persistent malicious scripts that execute whenever administrators view the affected Tax Zone entries, potentially leading to session hijacking, credential theft, or unauthorized administrative actions.

Affected Products

• Craft Commerce versions 4.0.0-RC1 through 4.10.0
• Craft Commerce versions 5.0.0 through 5.5.1

Discovery Timeline

• February 3, 2026 - CVE-2026-25489 published to NVD
• February 4, 2026 - Last updated in NVD database

Technical Details for CVE-2026-25489

Vulnerability Analysis

This stored XSS vulnerability exists due to insufficient input sanitization in the Craft Commerce admin panel. When administrators create or modify Tax Zones, the Name and Description fields accept user input that is stored in the database and later rendered in the admin interface without proper encoding or escaping. This allows an attacker to inject malicious JavaScript that persists in the application and executes in the context of any administrator who subsequently views the affected Tax Zone configuration.

The attack requires authenticated access with privileges to modify Tax Zone settings. Once the malicious payload is stored, it executes automatically when the vulnerable page is loaded by any administrator, making this a particularly dangerous variant of XSS as the payload persists across sessions.

Root Cause

The root cause of CVE-2026-25489 is improper output encoding (CWE-79). The application fails to properly sanitize or encode user-supplied input in the Name and Description fields of Tax Zones before rendering this content in the admin panel HTML. This allows HTML and JavaScript content to be interpreted by the browser rather than being displayed as plain text.

Attack Vector

The attack vector for this vulnerability is network-based, requiring the attacker to have authenticated access to the Craft Commerce admin panel with sufficient privileges to create or modify Tax Zones. The attack flow involves:

1. An attacker with Tax Zone management privileges accesses the admin panel
2. The attacker creates or modifies a Tax Zone entry, injecting malicious JavaScript in the Name or Description field
3. The payload is stored in the application database
4. When any administrator navigates to view Tax Zones, the malicious script executes in their browser context
5. The script can then perform actions on behalf of the administrator, steal session tokens, or redirect to malicious sites

The vulnerability mechanism involves improper handling of user input in the Tax Zone form fields. When an administrator views the Tax Zones configuration page, the stored malicious content is rendered directly into the HTML without proper escaping, allowing the injected JavaScript to execute. See the GitHub Security Advisory for complete technical details.

Detection Methods for CVE-2026-25489

Indicators of Compromise

• Unusual JavaScript code or HTML tags present in Tax Zone Name or Description fields in the database
• Unexpected script execution or browser behavior when administrators access Tax Zone configuration pages
• Audit log entries showing modifications to Tax Zones with suspicious content patterns
• Reports from administrators of unexpected redirects or pop-ups when viewing the admin panel

Detection Strategies

• Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
• Monitor application logs for requests containing common XSS payload patterns targeting Tax Zone endpoints
• Deploy Web Application Firewall (WAF) rules to detect XSS injection attempts in form submissions
• Conduct regular database audits to identify stored payloads in Tax Zone records

Monitoring Recommendations

• Enable detailed logging for all administrative actions, particularly changes to Tax Zones
• Configure real-time alerting for database modifications to Tax Zone tables containing script tags or event handlers
• Implement browser-based XSS auditing tools for administrator sessions
• Review CSP violation reports regularly to identify potential exploitation attempts

How to Mitigate CVE-2026-25489

Immediate Actions Required

• Update Craft Commerce version 4.x installations to version 4.10.1 or later immediately
• Update Craft Commerce version 5.x installations to version 5.5.2 or later immediately
• Review existing Tax Zone entries for any suspicious or malicious content
• Audit administrator activity logs for unauthorized Tax Zone modifications

Patch Information

Craft CMS has released patched versions that address this vulnerability by implementing proper output encoding for Tax Zone fields. The fix is available in:

• Craft Commerce v4.10.1 for the 4.x branch
• Craft Commerce v5.5.2 for the 5.x branch

The security fix can be reviewed in the commit fa273330807807d05b564d37c88654cd772839ee. For additional details, refer to the GitHub Security Advisory GHSA-v585-mf6r-rqrc.

Workarounds

• Restrict Tax Zone management privileges to only essential personnel until patches are applied
• Implement strict Content Security Policy (CSP) headers to mitigate the impact of stored XSS
• Manually review and sanitize any existing Tax Zone entries for malicious content
• Consider temporarily disabling Tax Zone editing functionality if immediate patching is not possible

# Update Craft Commerce via Composer
# For version 4.x users:
composer require craftcms/commerce:^4.10.1 --update-with-dependencies

# For version 5.x users:
composer require craftcms/commerce:^5.5.2 --update-with-dependencies

# After updating, clear caches
./craft clear-caches/all