← voltar
CVE-2026-25487

Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

CVSS 6.1 MEDIUMEPSS 0.3%CWE-79
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 6.1EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
03 fev 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
Produtos afetados
craftcms · commerce

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839eehttps://github.com/craftcms/commerce/releases/tag/4.10.1https://github.com/craftcms/commerce/releases/tag/5.5.2https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh