{"url":"http://public2.vulnerablecode.io/api/packages/40456?format=json","purl":"pkg:composer/craftcms/commerce@4.0.0","type":"composer","namespace":"craftcms","name":"commerce","version":"4.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.11.0","latest_non_vulnerable_version":"5.6.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66052?format=json","vulnerability_id":"VCID-1fpe-utun-2bhp","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25488","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07525","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07492","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25488"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"4.10.1","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"5.5.2","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25488","reference_id":"CVE-2026-25488","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25488"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"fa273330807807d05b564d37c88654cd772839ee","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/advisories/GHSA-p6w8-q63m-72c8","reference_id":"GHSA-p6w8-q63m-72c8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p6w8-q63m-72c8"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8","reference_id":"GHSA-p6w8-q63m-72c8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38533?format=json","purl":"pkg:composer/craftcms/commerce@4.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38526?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ut7-kdwm-zubh"},{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"},{"vulnerability":"VCID-wk8c-81g9-juh9"},{"vulnerability":"VCID-y7ud-n1vc-ckc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25488","GHSA-p6w8-q63m-72c8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1fpe-utun-2bhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65948?format=json","vulnerability_id":"VCID-3aau-58kb-23c2","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25522","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10383","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10332","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25522"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"4.10.1","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"5.5.2","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25522","reference_id":"CVE-2026-25522","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25522"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"fa273330807807d05b564d37c88654cd772839ee","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/advisories/GHSA-h9r9-2pxg-cx9m","reference_id":"GHSA-h9r9-2pxg-cx9m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h9r9-2pxg-cx9m"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m","reference_id":"GHSA-h9r9-2pxg-cx9m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38533?format=json","purl":"pkg:composer/craftcms/commerce@4.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38526?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ut7-kdwm-zubh"},{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"},{"vulnerability":"VCID-wk8c-81g9-juh9"},{"vulnerability":"VCID-y7ud-n1vc-ckc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25522","GHSA-h9r9-2pxg-cx9m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3aau-58kb-23c2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65916?format=json","vulnerability_id":"VCID-3tvs-zkkk-q3dn","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25490","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07525","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07492","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25490"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"4.10.1","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"5.5.2","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25490","reference_id":"CVE-2026-25490","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25490"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"fa273330807807d05b564d37c88654cd772839ee","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/advisories/GHSA-wq2m-r96q-crrf","reference_id":"GHSA-wq2m-r96q-crrf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wq2m-r96q-crrf"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf","reference_id":"GHSA-wq2m-r96q-crrf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38533?format=json","purl":"pkg:composer/craftcms/commerce@4.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38526?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ut7-kdwm-zubh"},{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"},{"vulnerability":"VCID-wk8c-81g9-juh9"},{"vulnerability":"VCID-y7ud-n1vc-ckc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25490","GHSA-wq2m-r96q-crrf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3tvs-zkkk-q3dn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66198?format=json","vulnerability_id":"VCID-6g9k-ndry-qyc4","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the \"Recent Orders\" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25482","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08874","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08831","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25482"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"4.10.1","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"5.5.2","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25482","reference_id":"CVE-2026-25482","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25482"},{"reference_url":"https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65","reference_id":"d94d1c9832a47a1c383e375ae87c46c13935ba65","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/"}],"url":"https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65"},{"reference_url":"https://github.com/advisories/GHSA-frj9-9rwc-pw9j","reference_id":"GHSA-frj9-9rwc-pw9j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-frj9-9rwc-pw9j"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j","reference_id":"GHSA-frj9-9rwc-pw9j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38533?format=json","purl":"pkg:composer/craftcms/commerce@4.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38526?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ut7-kdwm-zubh"},{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"},{"vulnerability":"VCID-wk8c-81g9-juh9"},{"vulnerability":"VCID-y7ud-n1vc-ckc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25482","GHSA-frj9-9rwc-pw9j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6g9k-ndry-qyc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74121?format=json","vulnerability_id":"VCID-7mwe-pr8b-27b9","summary":"Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29172","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03134","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.0312","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29172"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276","reference_id":"b231b920b73db023e81e5b261b894d73e865c276","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/"}],"url":"https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29172","reference_id":"CVE-2026-29172","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29172"},{"reference_url":"https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1","reference_id":"e4e0f4107cd895d29290523637f077fe280407b1","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/"}],"url":"https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1"},{"reference_url":"https://github.com/advisories/GHSA-j3x5-mghf-xvfw","reference_id":"GHSA-j3x5-mghf-xvfw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j3x5-mghf-xvfw"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw","reference_id":"GHSA-j3x5-mghf-xvfw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40457?format=json","purl":"pkg:composer/craftcms/commerce@4.10.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.2"},{"url":"http://public2.vulnerablecode.io/api/packages/40459?format=json","purl":"pkg:composer/craftcms/commerce@5.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3"}],"aliases":["CVE-2026-29172","GHSA-j3x5-mghf-xvfw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7mwe-pr8b-27b9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65720?format=json","vulnerability_id":"VCID-8612-urej-cqbg","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25489","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07525","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07492","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25489"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"4.10.1","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"5.5.2","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25489","reference_id":"CVE-2026-25489","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25489"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"fa273330807807d05b564d37c88654cd772839ee","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/advisories/GHSA-v585-mf6r-rqrc","reference_id":"GHSA-v585-mf6r-rqrc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v585-mf6r-rqrc"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc","reference_id":"GHSA-v585-mf6r-rqrc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38533?format=json","purl":"pkg:composer/craftcms/commerce@4.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38526?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ut7-kdwm-zubh"},{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"},{"vulnerability":"VCID-wk8c-81g9-juh9"},{"vulnerability":"VCID-y7ud-n1vc-ckc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25489","GHSA-v585-mf6r-rqrc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8612-urej-cqbg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74033?format=json","vulnerability_id":"VCID-8wtv-3a2u-efhn","summary":"Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29177","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02429","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02427","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29177"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a","reference_id":"b0683e04773f16bba6af9df18aab495fc5dde68a","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/"}],"url":"https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29177","reference_id":"CVE-2026-29177","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29177"},{"reference_url":"https://github.com/advisories/GHSA-mj32-r678-7mvp","reference_id":"GHSA-mj32-r678-7mvp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mj32-r678-7mvp"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp","reference_id":"GHSA-mj32-r678-7mvp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40457?format=json","purl":"pkg:composer/craftcms/commerce@4.10.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.2"},{"url":"http://public2.vulnerablecode.io/api/packages/40459?format=json","purl":"pkg:composer/craftcms/commerce@5.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3"}],"aliases":["CVE-2026-29177","GHSA-mj32-r678-7mvp"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8wtv-3a2u-efhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66248?format=json","vulnerability_id":"VCID-95zg-q87n-kba2","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25483","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04756","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25483"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"4.10.1","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c","reference_id":"4665a47c0961aee311a42af2ff94a7c470f0ad8c","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/"}],"url":"https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"5.5.2","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25483","reference_id":"CVE-2026-25483","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25483"},{"reference_url":"https://github.com/advisories/GHSA-8478-rmjg-mjj5","reference_id":"GHSA-8478-rmjg-mjj5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8478-rmjg-mjj5"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5","reference_id":"GHSA-8478-rmjg-mjj5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38533?format=json","purl":"pkg:composer/craftcms/commerce@4.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38526?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ut7-kdwm-zubh"},{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"},{"vulnerability":"VCID-wk8c-81g9-juh9"},{"vulnerability":"VCID-y7ud-n1vc-ckc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25483","GHSA-8478-rmjg-mjj5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-95zg-q87n-kba2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/76986?format=json","vulnerability_id":"VCID-97wt-uzgd-j7cy","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32270","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25681","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25482","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32270"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32270","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32270"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.11.0","reference_id":"4.11.0","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.11.0"},{"reference_url":"https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08","reference_id":"48a5d946419964e2af1ac64a8e1acc2a32ca0a08","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/"}],"url":"https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.6.0","reference_id":"5.6.0","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.6.0"},{"reference_url":"https://github.com/advisories/GHSA-3vxg-x5f8-f5qf","reference_id":"GHSA-3vxg-x5f8-f5qf","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3vxg-x5f8-f5qf"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf","reference_id":"GHSA-3vxg-x5f8-f5qf","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40468?format=json","purl":"pkg:composer/craftcms/commerce@4.11.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.11.0"},{"url":"http://public2.vulnerablecode.io/api/packages/40469?format=json","purl":"pkg:composer/craftcms/commerce@5.6.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0"}],"aliases":["CVE-2026-32270","GHSA-3vxg-x5f8-f5qf"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-97wt-uzgd-j7cy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74122?format=json","vulnerability_id":"VCID-dnc5-bagp-wfgm","summary":"Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29173","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05204","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05217","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29173"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa","reference_id":"60cdc505c03b6fa2f59715e8c060114b66334afa","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/"}],"url":"https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa"},{"reference_url":"https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b","reference_id":"a2ea853935ef03297ea1298bdb0d8c55ec5daf7b","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/"}],"url":"https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29173","reference_id":"CVE-2026-29173","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29173"},{"reference_url":"https://github.com/advisories/GHSA-mqxf-2998-c6cp","reference_id":"GHSA-mqxf-2998-c6cp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mqxf-2998-c6cp"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp","reference_id":"GHSA-mqxf-2998-c6cp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40457?format=json","purl":"pkg:composer/craftcms/commerce@4.10.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.2"},{"url":"http://public2.vulnerablecode.io/api/packages/40459?format=json","purl":"pkg:composer/craftcms/commerce@5.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3"}],"aliases":["CVE-2026-29173","GHSA-mqxf-2998-c6cp"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dnc5-bagp-wfgm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77310?format=json","vulnerability_id":"VCID-gym5-pp2y-y3ed","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32271","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23845","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23649","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32271"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32271","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32271"},{"reference_url":"https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72","reference_id":"6d2d24b3a2b0c06593856d05446f82bd8af92d72","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:21:36Z/"}],"url":"https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72"},{"reference_url":"https://github.com/advisories/GHSA-875v-7m49-8x88","reference_id":"GHSA-875v-7m49-8x88","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-875v-7m49-8x88"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88","reference_id":"GHSA-875v-7m49-8x88","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:21:36Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373938?format=json","purl":"pkg:composer/craftcms/commerce@4.10.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/40468?format=json","purl":"pkg:composer/craftcms/commerce@4.11.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.11.0"},{"url":"http://public2.vulnerablecode.io/api/packages/373939?format=json","purl":"pkg:composer/craftcms/commerce@5.5.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.5"},{"url":"http://public2.vulnerablecode.io/api/packages/40469?format=json","purl":"pkg:composer/craftcms/commerce@5.6.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0"}],"aliases":["CVE-2026-32271","GHSA-875v-7m49-8x88"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gym5-pp2y-y3ed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65779?format=json","vulnerability_id":"VCID-kcyd-frx2-myg9","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25484","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05631","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05604","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25484"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"4.10.1","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"5.5.2","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c","reference_id":"7e1dedf06038c8e70dce0187b7048d4ab8ffb75c","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/"}],"url":"https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25484","reference_id":"CVE-2026-25484","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25484"},{"reference_url":"https://github.com/advisories/GHSA-2h2m-v2mg-656c","reference_id":"GHSA-2h2m-v2mg-656c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2h2m-v2mg-656c"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c","reference_id":"GHSA-2h2m-v2mg-656c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38533?format=json","purl":"pkg:composer/craftcms/commerce@4.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38526?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ut7-kdwm-zubh"},{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"},{"vulnerability":"VCID-wk8c-81g9-juh9"},{"vulnerability":"VCID-y7ud-n1vc-ckc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25484","GHSA-2h2m-v2mg-656c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kcyd-frx2-myg9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71368?format=json","vulnerability_id":"VCID-ke4n-z9fq-87ea","summary":"Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31867","reference_id":"","reference_type":"","scores":[{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22155","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21965","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31867"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/pull/4207","reference_id":"4207","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T13:49:40Z/"}],"url":"https://github.com/craftcms/commerce/pull/4207"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31867","reference_id":"CVE-2026-31867","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31867"},{"reference_url":"https://github.com/advisories/GHSA-vff3-pqq8-4cpq","reference_id":"GHSA-vff3-pqq8-4cpq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vff3-pqq8-4cpq"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq","reference_id":"GHSA-vff3-pqq8-4cpq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T13:49:40Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40468?format=json","purl":"pkg:composer/craftcms/commerce@4.11.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.11.0"},{"url":"http://public2.vulnerablecode.io/api/packages/936845?format=json","purl":"pkg:composer/craftcms/commerce@5.0.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fpe-utun-2bhp"},{"vulnerability":"VCID-3aau-58kb-23c2"},{"vulnerability":"VCID-3tvs-zkkk-q3dn"},{"vulnerability":"VCID-3zc6-6twn-53bv"},{"vulnerability":"VCID-8612-urej-cqbg"},{"vulnerability":"VCID-w92g-517h-rud8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.0.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/40469?format=json","purl":"pkg:composer/craftcms/commerce@5.6.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0"}],"aliases":["CVE-2026-31867","GHSA-vff3-pqq8-4cpq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ke4n-z9fq-87ea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66089?format=json","vulnerability_id":"VCID-w92g-517h-rud8","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25487","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07525","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07492","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25487"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"4.10.1","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"5.5.2","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25487","reference_id":"CVE-2026-25487","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25487"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"fa273330807807d05b564d37c88654cd772839ee","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/advisories/GHSA-wqc5-485v-3hqh","reference_id":"GHSA-wqc5-485v-3hqh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wqc5-485v-3hqh"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh","reference_id":"GHSA-wqc5-485v-3hqh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38533?format=json","purl":"pkg:composer/craftcms/commerce@4.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38526?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ut7-kdwm-zubh"},{"vulnerability":"VCID-7mwe-pr8b-27b9"},{"vulnerability":"VCID-8wtv-3a2u-efhn"},{"vulnerability":"VCID-97wt-uzgd-j7cy"},{"vulnerability":"VCID-dnc5-bagp-wfgm"},{"vulnerability":"VCID-gym5-pp2y-y3ed"},{"vulnerability":"VCID-ke4n-z9fq-87ea"},{"vulnerability":"VCID-nd31-ykw5-rqbt"},{"vulnerability":"VCID-wk8c-81g9-juh9"},{"vulnerability":"VCID-y7ud-n1vc-ckc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25487","GHSA-wqc5-485v-3hqh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w92g-517h-rud8"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.0.0"}