CVE-2026-25490 is a stored cross-site scripting vulnerability classified under CWE-79, impacting Craft Commerce, an ecommerce platform integrated with Craft CMS. The vulnerability arises from improper neutralization of input in the 'Address Line 1' field within Inventory Locations. Specifically, user-supplied input is not adequately sanitized before being embedded into the admin panel's web pages, enabling attackers to inject malicious JavaScript payloads. When an administrator accesses the Inventory Locations section, the injected script executes in their browser context, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the admin interface. The vulnerability affects versions from 4.0.0-RC1 up to but not including 4.10.1, and from 5.0.0 up to but not including 5.5.2. Exploitation requires the attacker to have high privileges to input malicious data, but no additional user interaction is needed beyond the admin viewing the compromised field. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required to execute the attack (though high privileges are needed to inject), and partial scope impact. The issue has been addressed in subsequent patches, which sanitize input properly to prevent script injection. No known exploits have been observed in the wild as of the publication date.

For European organizations using Craft Commerce within the affected version ranges, this vulnerability poses a risk primarily to administrative users. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the admin panel, potentially leading to theft of admin session tokens, unauthorized changes to ecommerce configurations, or manipulation of inventory data. This could disrupt ecommerce operations, compromise sensitive customer and business data, and damage organizational reputation. Given the ecommerce context, any compromise of administrative control could also facilitate fraudulent transactions or data leakage. The impact is heightened for organizations with complex inventory management workflows or those relying heavily on Craft Commerce for critical sales channels. Additionally, GDPR considerations mean that any data breach resulting from exploitation could lead to regulatory penalties. However, the requirement for high privileges to inject malicious input limits the attack surface to insiders or attackers who have already gained elevated access, reducing the likelihood of widespread exploitation.

European organizations should immediately verify their Craft Commerce versions and upgrade to 4.10.1 or 5.5.2 or later to apply the official patches. Beyond patching, organizations should implement strict input validation and sanitization controls on all user-supplied data fields, especially those accessible by administrative users. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the admin panel. Regularly audit user permissions to ensure that only trusted personnel have high-level access capable of injecting data into inventory fields. Monitor administrative interfaces for unusual activity or unexpected changes in inventory data. Consider implementing web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting the admin panel. Finally, conduct security awareness training for administrators to recognize suspicious behavior and potential social engineering attempts that could lead to privilege escalation.