What is CVE-2026-25522?

## Summary A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the **Store Management** section are not properly sanitized before being displayed in the admin panel. --- ## Proof of Concept ### Requirments - General permissions: - Access the control panel - Access Craft Commerce - Craft Commerce permissions: - Manage store settings - Manage shipping - An active administrator elevated session ### Steps to Reproduce 1. Log in to the Admin Panel with the attacker account with the permissions mentioned above. 2. Navigate to **Commerce** -> **Store Management** -> **Shipping Zones** (`/admin/commerce/store-management/primary/shippingzones`). 3. Create a new shipping zone. 4. In the **Name** field, enter the following payload: ```html ``` 4. Click **Save** & Go back to the previous page. 5. Notice the alert proving JavaScript execution. ### Privilege Escalation to Administrator: 1. Do the same steps above, but replace the payload with a malicious one. 2. The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the ` ` with the attacker id: ```html /permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId= &admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})"> ``` 3. In another browser, log in as an admin & go to the vulnerable page (shipping zones page). 4. Go back to the attacker account & notice it is now an admin. The privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack. Or even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it’s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker. ### Resources: https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee

What is the severity of CVE-2026-25522?

CVE-2026-25522 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-25522?

No known public exploits are currently available for CVE-2026-25522.

Is there a patch available for CVE-2026-25522?

Yes, patches are available for CVE-2026-25522. Check the vendor advisories for update instructions.

CVE-2026-25522 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.

Proof of Concept

Requirments

General permissions:
- Access the control panel
- Access Craft Commerce
Craft Commerce permissions:
- Manage store settings
- Manage shipping
An active administrator elevated session

Steps to Reproduce

Log in to the Admin Panel with the attacker account with the permissions mentioned above.
Navigate to Commerce -> Store Management -> Shipping Zones (/admin/commerce/store-management/primary/shippingzones).
Create a new shipping zone.
In the Name field, enter the following payload:

<img src=x onerror="alert(document.domain)">

Click Save & Go back to the previous page.
Notice the alert proving JavaScript execution.

Privilege Escalation to Administrator:

Do the same steps above, but replace the payload with a malicious one.
The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the <UserID> with the attacker id:

<img src=x onerror="fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})">

In another browser, log in as an admin & go to the vulnerable page (shipping zones page).
Go back to the attacker account & notice it is now an admin.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com Github.com