CVE-2026-25487 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, found in Craft Commerce, an ecommerce platform integrated with Craft CMS. The vulnerability exists in versions from 4.0.0-RC1 up to 4.10.0 and 5.0.0 up to 5.5.1, where the Tax Rates 'Name' field in the Store Management section is not properly sanitized before rendering in the administrative interface. This improper neutralization of input allows an attacker to inject malicious JavaScript code that is stored persistently and executed when an administrator views the affected page. The attack vector is remote and network-based, requiring no authentication but necessitating that an administrator interacts with the malicious input, typically by viewing or managing tax rate entries. The CVSS 4.0 vector indicates low attack complexity and no privileges required, but user interaction is necessary. The vulnerability does not impact confidentiality, integrity, or availability directly but can lead to session hijacking, credential theft, or unauthorized actions performed with administrative privileges, thereby escalating the attacker's control within the system. The issue was addressed in patched versions 4.10.1 and 5.5.2 by properly sanitizing the input fields to prevent script injection. No known exploits have been reported in the wild as of the publication date.

For European organizations using Craft Commerce within the affected version ranges, this vulnerability poses a significant risk to administrative account security and overall platform integrity. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of an administrator's browser, potentially leading to session hijacking, theft of sensitive credentials, or unauthorized administrative actions. This can compromise the ecommerce platform's security, leading to data breaches, manipulation of store configurations, or fraudulent transactions. Given the administrative nature of the affected interface, the impact could extend to the entire ecommerce operation, affecting customer data and business continuity. Organizations in sectors with strict data protection regulations, such as GDPR, may face compliance risks and reputational damage if exploited. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with multiple administrators or where phishing/social engineering could be used to lure admins to malicious inputs.

European organizations should immediately upgrade Craft Commerce installations to versions 4.10.1 or 5.5.2 or later to apply the official patches. Beyond patching, implement strict input validation and sanitization on all user-supplied data fields, especially those rendered in administrative interfaces. Deploy Content Security Policies (CSP) to restrict execution of unauthorized scripts within the admin panel. Limit administrative access to trusted personnel and enforce multi-factor authentication to reduce the risk of compromised credentials. Regularly audit tax rate entries and other input fields for suspicious content. Educate administrators about the risks of interacting with untrusted inputs and implement monitoring to detect anomalous admin panel activities. Consider isolating the admin interface behind VPNs or IP whitelisting to reduce exposure. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.