Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3zc6-6twn-53bv
Vulnerability ID VCID-3zc6-6twn-53bv
Aliases CVE-2026-25486
GHSA-g92v-wpv7-6w22
Summary Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2026-25486
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2026-25486
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2026-25486
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-g92v-wpv7-6w22
cvssv4 6.1 https://github.com/craftcms/commerce
generic_textual MODERATE https://github.com/craftcms/commerce
cvssv4 6.1 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
generic_textual MODERATE https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
ssvc Track https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
cvssv4 6.1 https://github.com/craftcms/commerce/releases/tag/5.5.2
generic_textual MODERATE https://github.com/craftcms/commerce/releases/tag/5.5.2
ssvc Track https://github.com/craftcms/commerce/releases/tag/5.5.2
cvssv3.1_qr MODERATE https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
cvssv4 6.1 https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
generic_textual MODERATE https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
ssvc Track https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
cvssv4 6.1 https://nvd.nist.gov/vuln/detail/CVE-2026-25486
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-25486
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-25486
https://github.com/craftcms/commerce
5.5.2 https://github.com/craftcms/commerce/releases/tag/5.5.2
CVE-2026-25486 https://nvd.nist.gov/vuln/detail/CVE-2026-25486
fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
GHSA-g92v-wpv7-6w22 https://github.com/advisories/GHSA-g92v-wpv7-6w22
GHSA-g92v-wpv7-6w22 https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N Found at https://github.com/craftcms/commerce
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N Found at https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/ Found at https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N Found at https://github.com/craftcms/commerce/releases/tag/5.5.2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/ Found at https://github.com/craftcms/commerce/releases/tag/5.5.2
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N Found at https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/ Found at https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-25486
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.06983
EPSS Score 0.00024
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:41:36.882258+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/25xxx/CVE-2026-25486.json 38.6.0