CVE-2026-25488 is a stored cross-site scripting (XSS) vulnerability identified in Craft Commerce, an ecommerce platform built on Craft CMS. The vulnerability affects versions from 4.0.0-RC1 up to 4.10.0 and from 5.0.0 up to 5.5.1. The root cause is the improper neutralization of input in the Tax Categories fields (Name and Description) within the Store Management section. Specifically, these fields are not properly sanitized before being rendered in the administrative interface, allowing an attacker to inject malicious JavaScript code. When an administrator views these fields in the backend, the malicious script executes in their browser context. This can lead to session hijacking, theft of credentials, or unauthorized actions performed with the administrator's privileges. The vulnerability requires the attacker to have the ability to submit crafted input into the Tax Categories fields, which may require some level of access or social engineering to achieve. The CVSS v4.0 score of 6.1 reflects a medium severity, considering the network attack vector, low attack complexity, no privileges required for the attacker to submit input (though the CVSS vector indicates PR:H, meaning high privileges are required, which suggests the attacker must have some elevated access), and user interaction needed (administrator must view the malicious input). The vulnerability has been addressed in Craft Commerce versions 4.10.1 and 5.5.2 by properly sanitizing the input before display. No known exploits have been reported in the wild to date. This vulnerability falls under CWE-79, which covers improper neutralization of input leading to cross-site scripting issues.

For European organizations using Craft Commerce within the affected version ranges, this vulnerability presents a significant risk to the confidentiality and integrity of administrative sessions. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of an administrator's browser, potentially leading to session hijacking, theft of administrative credentials, or unauthorized modification of ecommerce settings and data. This could disrupt ecommerce operations, lead to data breaches involving customer or transactional data, and damage organizational reputation. Given the administrative context, the availability impact is limited but could be indirect if attackers manipulate configurations or inject further malicious payloads. The risk is heightened in organizations with multiple administrators or where administrative access is shared or less tightly controlled. Since the vulnerability requires an administrator to view the malicious input, organizations with frequent administrative interactions or automated monitoring of tax categories may be more exposed. The medium severity rating reflects that while the vulnerability is serious, exploitation requires some privileges and user interaction, limiting the attack surface somewhat. However, the ecommerce sector in Europe is substantial, and Craft Commerce is used by many businesses, making this a relevant threat. Failure to patch could lead to targeted attacks against high-value ecommerce platforms, especially those handling sensitive customer data or financial transactions.

1. Immediate upgrade to Craft Commerce versions 4.10.1 or 5.5.2, which contain the official patches addressing this vulnerability. 2. Implement strict input validation and sanitization on all user-supplied data, especially in administrative interfaces, to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the admin panel. 4. Limit administrative access to trusted personnel and enforce multi-factor authentication to reduce the risk of compromised credentials. 5. Regularly audit and monitor tax category inputs and other dynamic fields for suspicious or unexpected content. 6. Educate administrators about the risks of clicking on untrusted links or viewing unverified inputs within the admin interface. 7. Use web application firewalls (WAF) with rules tuned to detect and block XSS payloads targeting the Craft Commerce admin panel. 8. Conduct periodic security assessments and penetration testing focused on the ecommerce platform to identify and remediate similar issues proactively.