CVE-2026-25485 is a stored Cross-Site Scripting (XSS) vulnerability identified in Craft Commerce, an ecommerce platform built on Craft CMS. The vulnerability affects versions from 4.0.0-RC1 up to 4.10.0 and 5.0.0 up to 5.5.1. It stems from improper neutralization of input in the Shipping Categories fields — specifically the 'Name' and 'Description' fields within the Store Management section of the admin panel. These fields do not properly sanitize user-supplied input before rendering it in the administrator interface, allowing an attacker to inject malicious JavaScript code. When an administrator views the affected page, the malicious script executes in their browser context. This can lead to session hijacking, privilege escalation, or other malicious activities performed with administrator privileges. The vulnerability requires the attacker to have the ability to submit crafted input to the Shipping Categories fields, which may require some level of access or exploitation of other weaknesses to achieve. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but the vector states PR:H, so some privileges are needed), user interaction required (UI:P), and scope and impact are high (SI:H). The vulnerability has been addressed in Craft Commerce versions 4.10.1 and 5.5.2 by properly sanitizing the input fields to prevent script injection. No public exploits have been reported to date, but the presence of stored XSS in an administrative interface makes this a significant risk if left unpatched.

For European organizations using Craft Commerce versions prior to 4.10.1 or 5.5.2, this vulnerability poses a risk of administrative account compromise through stored XSS attacks. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of an administrator's browser, potentially leading to theft of session cookies, unauthorized actions within the ecommerce platform, or pivoting to other internal systems. This can result in data breaches, manipulation of ecommerce transactions, or disruption of business operations. Given the ecommerce context, impacts may include financial fraud, reputational damage, and regulatory non-compliance under GDPR if customer data is exposed or integrity is compromised. The requirement for user interaction (administrator viewing the malicious content) limits the attack surface but does not eliminate risk, especially in environments where multiple administrators access the system regularly. The medium severity rating reflects a moderate but tangible threat to confidentiality and integrity, with no direct impact on availability.

European organizations should immediately verify their Craft Commerce version and upgrade to 4.10.1 or 5.5.2 or later to apply the official patch that sanitizes the Shipping Categories input fields. Until patched, restrict administrative access to trusted personnel and networks to reduce exposure. Implement Content Security Policy (CSP) headers to limit the impact of injected scripts. Conduct regular input validation and sanitization reviews for all user-supplied data in the ecommerce platform. Monitor administrative activity logs for unusual behavior that might indicate exploitation attempts. Educate administrators about the risks of clicking on untrusted links or viewing unverified input in the admin panel. Consider deploying web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting Craft Commerce. Finally, maintain an incident response plan to quickly address any suspected compromise stemming from this vulnerability.