CVE-2026-25522 is a stored cross-site scripting (XSS) vulnerability identified in Craft Commerce, an ecommerce platform integrated with Craft CMS. The vulnerability exists in versions from 4.0.0-RC1 up to 4.10.0 and from 5.0.0 up to 5.5.1. It stems from improper neutralization of input in the Shipping Zone Name and Description fields within the Store Management section of the administrative interface. Specifically, these fields do not adequately sanitize user-supplied input before rendering it in the administrator’s browser, allowing an attacker to inject malicious JavaScript code that executes when an admin views the affected page. The attack vector is network-based, with low complexity and no privileges required to submit the malicious input, but it requires user interaction in the form of an administrator viewing the compromised data. The vulnerability does not affect confidentiality, integrity, or availability directly but can lead to session hijacking, credential theft, or privilege escalation through exploitation of the administrator’s session. The issue has been addressed in Craft Commerce versions 4.10.1 and 5.5.2 by implementing proper input sanitization. No known exploits have been reported in the wild as of now. The CVSS 4.0 vector string (AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N) reflects a medium severity rating of 6.1, indicating a moderate risk that should be remediated promptly to prevent potential administrative compromise.

For European organizations using Craft Commerce within the affected version ranges, this vulnerability poses a significant risk to administrative security. Exploitation could allow attackers to execute arbitrary JavaScript in the context of an administrator’s browser, potentially leading to session hijacking, theft of administrative credentials, or unauthorized actions performed with administrative privileges. This could result in unauthorized changes to ecommerce configurations, manipulation of orders, or exposure of sensitive customer data. Given that ecommerce platforms are critical for business operations and customer trust, successful exploitation could lead to financial losses, reputational damage, and regulatory compliance issues under GDPR if personal data is compromised. The medium severity rating suggests that while the vulnerability is not trivially exploitable without user interaction, the impact on confidentiality and integrity of administrative functions is substantial. Organizations with high ecommerce transaction volumes or those handling sensitive customer data are at greater risk. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network if administrative credentials are compromised.

European organizations should immediately upgrade Craft Commerce installations to versions 4.10.1 or 5.5.2 or later, where the vulnerability is patched. Until upgrades can be performed, implement strict input validation and sanitization on all user-supplied data fields, especially those exposed in administrative interfaces. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the admin panel. Limit administrative access to trusted networks and use multi-factor authentication to reduce the risk of credential compromise. Regularly audit and monitor admin panel activity for unusual behavior that could indicate exploitation attempts. Educate administrators about the risks of interacting with untrusted input and encourage cautious handling of new or modified Shipping Zone entries. Additionally, consider deploying web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the affected fields. Finally, maintain a robust patch management process to ensure timely application of security updates.