craftcms/commerce Security Advisories for 5.0.0-beta.2 (3)
-
[MEDIUM] Craft Commerce has Stored XSS in Product Type Name
PKSA-tjsq-jr27-yxgb CVE-2026-25484 GHSA-2h2m-v2mg-656c
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0,<=5.5.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration
PKSA-6px2-ht8s-n19h CVE-2026-25483 GHSA-8478-rmjg-mjj5
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0,<=5.5.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
PKSA-m4r9-k8fn-t8bm CVE-2026-25482 GHSA-frj9-9rwc-pw9j
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0,<=5.5.1
Reported by:
GitHub