CVE-2026-25486 is a stored cross-site scripting (XSS) vulnerability identified in Craft Commerce, an ecommerce platform built on Craft CMS. The vulnerability affects versions from 5.0.0 up to 5.5.1 and stems from improper neutralization of input in the Shipping Methods Name field within the Store Management section. Specifically, the application fails to adequately sanitize user-supplied input before rendering it in the administrator panel, allowing an attacker to inject malicious JavaScript code. When an administrator views the affected page, the injected script executes in their browser context, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the admin interface. Exploitation requires the attacker to have authenticated access with administrator privileges to input the malicious payload and some level of user interaction (the admin viewing the page). The vulnerability does not require elevated privileges beyond admin access, nor does it affect confidentiality, integrity, or availability of the system directly but compromises the administrator's session and control. The issue was addressed and patched in Craft Commerce version 5.5.2. The CVSS v4.0 score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond admin, and user interaction needed. No known exploits have been reported in the wild as of the publication date.

For European organizations using Craft Commerce, this vulnerability poses a risk primarily to the confidentiality and integrity of administrative sessions. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of an administrator’s browser, potentially leading to theft of session tokens, unauthorized changes to ecommerce configurations, or manipulation of sensitive data such as pricing, shipping methods, or customer information. This could disrupt ecommerce operations, damage brand reputation, and lead to regulatory compliance issues under GDPR if customer data is compromised. Since the vulnerability requires admin-level access to inject the payload, the threat is heightened in environments with weak internal access controls or compromised administrator credentials. The impact is particularly significant for organizations with high-value ecommerce platforms or those handling sensitive customer transactions within Europe.

European organizations should immediately upgrade Craft Commerce installations to version 5.5.2 or later to apply the official patch. In addition, implement strict input validation and sanitization on all user-supplied fields, especially those displayed in administrative interfaces. Enforce the principle of least privilege by restricting administrator access to trusted personnel only and regularly auditing admin accounts for suspicious activity. Employ multi-factor authentication (MFA) for all administrative users to reduce the risk of credential compromise. Monitor logs for unusual input patterns or repeated attempts to inject scripts. Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in admin browsers. Regularly train administrators on phishing and social engineering risks to prevent credential theft that could facilitate exploitation.