{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-12T18:03:33.584","vulnerabilities":[{"cve":{"id":"CVE-2026-25487","sourceIdentifier":"security-advisories@github.com","published":"2026-02-03T19:16:26.360","lastModified":"2026-02-10T18:10:55.623","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."},{"lang":"es","value":"Craft Commerce es una plataforma de comercio electrónico para Craft CMS. En las versiones desde la 4.0.0-RC1 hasta la 4.10.0 y desde la 5.0.0 hasta la 5.5.1, una vulnerabilidad de XSS almacenado en Craft Commerce permite a los atacantes ejecutar JavaScript malicioso en el navegador de un administrador. Esto ocurre porque el campo 'Name' de las Tasas de Impuestos en la sección de Gestión de la Tienda no se sanea correctamente antes de mostrarse en el panel de administración. Este problema ha sido parcheado en las versiones 4.10.1 y 5.5.2."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*","versionStartIncluding":"4.0.1","versionEndExcluding":"4.10.1","matchCriteriaId":"6EFA9347-254D-4D9E-84B1-8C0FFCC377F9"},{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*","versionStartIncluding":"5.0.0","versionEndExcluding":"5.5.2","matchCriteriaId":"65ADAE4B-A19C-4FB1-AE39-8CF4AF57499B"},{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*","matchCriteriaId":"2B409639-1C00-4E9C-950E-77058C40A5F1"},{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*","matchCriteriaId":"E4B4BB43-0D60-4F6F-9F6F-1F7B3AF75EBA"}]}]}],"references":[{"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}