CVE-2026-25486 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 that affects Craft Commerce, an ecommerce platform integrated with Craft CMS. The vulnerability exists in versions from 5.0.0 up to 5.5.1 due to improper neutralization of input in the Shipping Methods Name field within the Store Management section. Specifically, the platform fails to adequately sanitize or encode user-supplied input before rendering it in the administrative interface. This flaw allows an attacker with high privileges—such as a user who can manage shipping methods—to inject malicious JavaScript code that is stored persistently and executed when an administrator views the affected page. The attack vector requires no authentication bypass but does require the attacker to have elevated privileges to input malicious data and an administrator to interact with the compromised interface to trigger the payload. The vulnerability does not impact confidentiality, integrity, or availability directly but can lead to session hijacking, privilege escalation, or further exploitation within the administrative context. The issue was publicly disclosed on February 3, 2026, and patched in version 5.5.2. The CVSS 4.0 score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required to trigger the exploit but high privileges to inject, and user interaction needed. No known exploits have been reported in the wild to date.

For European organizations using Craft Commerce versions between 5.0.0 and 5.5.1, this vulnerability poses a significant risk to administrative security. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of an administrator’s browser, potentially leading to session hijacking, theft of administrative credentials, or unauthorized actions within the ecommerce platform. This can result in unauthorized changes to store configurations, manipulation of shipping methods, or further compromise of the underlying CMS and associated data. Given the administrative scope, the impact on confidentiality and integrity is moderate to high, while availability impact is low. Organizations handling sensitive customer data or financial transactions via Craft Commerce are at increased risk of reputational damage and regulatory non-compliance, especially under GDPR mandates. The absence of known exploits reduces immediate risk but does not eliminate the threat, emphasizing the need for timely patching.

1. Immediately upgrade Craft Commerce installations to version 5.5.2 or later, where the vulnerability is patched. 2. Implement strict input validation and sanitization on all user-supplied data fields, especially those accessible in administrative interfaces. 3. Enforce Content Security Policies (CSP) to restrict execution of unauthorized scripts within the admin panel. 4. Limit administrative privileges strictly to trusted users and regularly audit user roles and permissions. 5. Monitor logs for unusual activity related to shipping methods or administrative interface access. 6. Educate administrators about the risks of interacting with untrusted inputs and encourage cautious behavior when reviewing user-generated content. 7. Consider deploying Web Application Firewalls (WAF) with rules targeting XSS payloads specific to Craft Commerce. 8. Regularly review and update security configurations and perform penetration testing focused on input sanitization weaknesses.