Approved changes feed: RSS · Atom

cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*

part: a version: 4.0.0 update: rc1

VendorCraftcms (251e238f-ce53-56ed-bc94-804b74356686)
ProductCraft Commerce (60223840-e262-5a89-98ad-e3b7039bf742)
Edition*
Language*
Software edition*
Target softwarecraft_cms
Target hardware*
Other*
NotesImported from NVD CPE 2.0 feed

PURL mappings

PURLSourceLast updated
pkg:composer/craftcms/commerce purl2cpe 2026-06-01 10:17:10.608567
pkg:github/craftcms/commerce purl2cpe 2026-06-01 10:17:10.608568

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-25490 vulnerable 2026-06-08 07:53:19.872087 Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03T18:09:33.290Z
Updated: 2026-02-03T20:27:49.508Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25489 vulnerable 2026-06-08 07:53:19.871332 Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03T18:07:40.168Z
Updated: 2026-02-03T20:34:09.676Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25488 vulnerable 2026-06-08 07:53:19.866217 Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03T18:07:25.106Z
Updated: 2026-02-04T21:13:48.706Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25487 vulnerable 2026-06-08 07:53:19.865646 Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03T18:07:12.401Z
Updated: 2026-02-04T21:13:17.130Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25485 vulnerable 2026-06-08 07:53:19.864770 Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03T18:06:45.900Z
Updated: 2026-02-04T16:51:07.751Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25484 vulnerable 2026-06-08 07:53:19.864287 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25483 vulnerable 2026-06-08 07:53:19.863676 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25482 vulnerable 2026-06-08 07:53:19.862876 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.