CVE-2026-25489 is a stored cross-site scripting vulnerability in Craft Commerce, an ecommerce platform built on Craft CMS. The vulnerability exists because the application fails to properly neutralize input in the Name and Description fields of Tax Zones before rendering them in the administrative interface. Specifically, malicious JavaScript code injected into these fields is stored on the server and executed in the context of an administrator's browser when they access the relevant admin pages. This stored XSS can be exploited by an attacker who can submit crafted input to these fields, potentially through lower-privileged accounts or via supply chain compromise, although the CVSS vector indicates high privileges are required to exploit. The impact includes the ability to hijack administrator sessions, steal sensitive cookies or tokens, perform unauthorized actions on behalf of the admin, or pivot further into the system. The vulnerability affects Craft Commerce versions from 4.0.0-RC1 up to but not including 4.10.1, and from 5.0.0 up to but not including 5.5.2. The issue was addressed by proper input sanitization and output encoding in the patched versions. No known exploits in the wild have been reported as of the publication date. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N) indicates a network attack vector with low complexity, no attack prerequisites, but requiring high privileges and user interaction, with a medium overall severity score of 6.1.

For European organizations using Craft Commerce, this vulnerability poses a risk primarily to the confidentiality and integrity of administrative accounts and ecommerce platform data. Successful exploitation could allow attackers to execute arbitrary JavaScript in the admin's browser, leading to session hijacking, theft of sensitive credentials, unauthorized modification of ecommerce settings, or insertion of malicious content affecting customers. This could result in financial losses, reputational damage, and regulatory compliance issues under GDPR due to potential data breaches. Since the vulnerability requires administrator privileges and user interaction, the risk is somewhat mitigated but remains significant in environments where multiple users have admin access or where attackers can trick admins into viewing malicious inputs. The ecommerce nature of Craft Commerce means that disruption or compromise could impact order processing, customer data, and payment workflows, which are critical for business continuity and trust.

European organizations should immediately upgrade Craft Commerce installations to versions 4.10.1 or later in the 4.x series, or 5.5.2 or later in the 5.x series, where the vulnerability is patched. Additionally, administrators should audit Tax Zone entries for suspicious or unexpected content and sanitize existing data if possible. Implement strict role-based access controls to limit the number of users with administrative privileges and enforce multi-factor authentication to reduce the risk of compromised admin accounts. Employ Content Security Policy (CSP) headers to mitigate the impact of potential XSS by restricting script execution sources. Regularly monitor admin panel activity logs for unusual behavior indicative of exploitation attempts. Finally, conduct security awareness training to ensure administrators recognize phishing or social engineering attempts that might lead to viewing malicious inputs.