Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-h9r9-2pxg-cx9m

Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation

Also known asCVE-2026-25522
Published
Feb 2, 2026
Updated
Feb 22, 2026
Affected
2 pkgs
Patched
2 / 2
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.3%probability of exploitation in next 30 days
Lower Risk17th percentile+0.23%
0.00%0.25%0.51%0.76%0.0%0.0%0.0%0.0%0.3%Mar 26May 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

2 pkgs affected
🐘craftcms/commerce🐘craftcms/commerce

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Summary

A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.

Proof of Concept

Requirments

  • General permissions:
    • Access the control panel
    • Access Craft Commerce
  • Craft Commerce permissions:
    • Manage store settings
    • Manage shipping
  • An active administrator elevated session

Steps to Reproduce

  1. Log in to the Admin Panel with the attacker account with the permissions mentioned above.
  2. Navigate to Commerce -> Store Management -> Shipping Zones (/admin/commerce/store-management/primary/shippingzones).
  3. Create a new shipping zone.
  4. In the Name field, enter the following payload:
<img src=x onerror="alert(document.domain)">
  1. Click Save & Go back to the previous page.
  2. Notice the alert proving JavaScript execution.

Privilege Escalation to Administrator:

  1. Do the same steps above, but replace the payload with a malicious one.
  2. The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the <UserID> with the attacker id:
<img src=x onerror="fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})">
  1. In another browser, log in as an admin & go to the vulnerable page (shipping zones page).
  2. Go back to the attacker account & notice it is now an admin.

The privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack.

Or even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it’s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.

Resources:

https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee

Affected Packages

2 total 2 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistcraftcms/commerce5.0.0-RC1&&< 5.5.25.5.2
🐘Packagistcraftcms/commerce4.0.0-RC1&&< 4.10.14.10.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for craftcms/commerce. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update craftcms/commerce to 5.5.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-h9r9-2pxg-cx9m is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-h9r9-2pxg-cx9m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-h9r9-2pxg-cx9m. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the **Store Management** section are not properly sanitized before being displayed in the admin panel. --- ## Proof of Concept ### Requirments - General permissions: - Access the control panel - Access Craft Commerce - Craft Commerce permissions: - Manage store settings - Manage shipping - An active administrator elevated session ### Steps to Reproduce 1. Log in to the Admin Panel wit
O3 Security · Impact-Aware SCA

Is GHSA-h9r9-2pxg-cx9m in your dependencies?

O3 detects GHSA-h9r9-2pxg-cx9m across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works