CVE-2026-25484 is a stored cross-site scripting vulnerability classified under CWE-79 affecting Craft Commerce, an ecommerce platform integrated with Craft CMS. The vulnerability exists in versions from 4.0.0-RC1 up to 4.10.0 and from 5.0.0 up to 5.5.1. The root cause is improper neutralization of input during web page generation: specifically, product type names entered in Commerce settings are not sanitized before being rendered in the CMS user permissions interface. This allows an attacker with the ability to create or modify product types—typically requiring elevated privileges—to inject malicious JavaScript code. When an administrator or user with access to the permissions settings views the affected page, the malicious script executes in their browser context. The vulnerability does not require network authentication to exploit the stored input, but injection requires privileged access, and exploitation requires user interaction (viewing the permissions page). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required for exploitation of the stored input, but user interaction is necessary, and the scope is limited with no impact on confidentiality, integrity, or availability directly. No known exploits are reported in the wild as of the publication date. The issue has been patched in Craft Commerce versions 4.10.1 and 5.5.2, which sanitize product type names before rendering them in user permissions settings, preventing script injection.

For European organizations using affected versions of Craft Commerce, this vulnerability poses a risk primarily to administrative users who manage product types and user permissions. Successful exploitation could lead to session hijacking, unauthorized actions performed with the victim’s privileges, or defacement of the administrative interface. While the vulnerability does not directly compromise backend data confidentiality or availability, it can facilitate further attacks such as privilege escalation or lateral movement within the CMS environment. Ecommerce platforms are critical for business operations and reputation; thus, even medium-severity XSS vulnerabilities can have outsized impacts if exploited. Given the integration of Craft Commerce in many European SMEs and larger enterprises, exploitation could disrupt ecommerce management, erode customer trust, and potentially expose sensitive administrative credentials or tokens. The lack of known exploits reduces immediate risk, but the presence of a public CVE and patch availability increases the likelihood of future exploitation attempts.

European organizations should immediately upgrade Craft Commerce installations to versions 4.10.1 or 5.5.2 or later to apply the official patch that sanitizes product type names. Until patching is complete, restrict permissions to create or modify product types to the smallest necessary group of trusted administrators. Implement Content Security Policy (CSP) headers to limit the impact of any injected scripts by restricting script sources and execution contexts. Conduct regular audits of product type names and user permissions pages for suspicious or unexpected input. Employ web application firewalls (WAFs) with rules targeting common XSS payloads to provide an additional layer of defense. Educate administrators about the risks of clicking on untrusted links or loading unknown pages within the CMS environment. Monitor logs for unusual activity related to product type modifications or user permissions access. Finally, integrate vulnerability scanning and penetration testing focused on CMS components to detect similar issues proactively.