[MEDIUM] Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation

PKSA-y1rc-ctkn-mgyg GHSA-h9r9-2pxg-cx9m

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1

Reported by:
GitHub

[MEDIUM] Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation

PKSA-nrcm-7whq-x868 CVE-2026-25490 GHSA-wq2m-r96q-crrf

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1

Reported by:
GitHub

[MEDIUM] Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

PKSA-xfj6-h72k-yknr CVE-2026-25489 GHSA-v585-mf6r-rqrc

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1

Reported by:
GitHub

[MEDIUM] Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation

PKSA-gnb2-rr3g-hcdr CVE-2026-25488 GHSA-p6w8-q63m-72c8

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1

Reported by:
GitHub

[MEDIUM] Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

PKSA-twkq-s65v-3zph CVE-2026-25487 GHSA-wqc5-485v-3hqh

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1

Reported by:
GitHub

[MEDIUM] Craft Commerce has Stored XSS in Product Type Name

PKSA-tjsq-jr27-yxgb CVE-2026-25484 GHSA-2h2m-v2mg-656c

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0,<=5.5.1

Reported by:
GitHub

[MEDIUM] Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration

PKSA-6px2-ht8s-n19h CVE-2026-25483 GHSA-8478-rmjg-mjj5

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0,<=5.5.1

Reported by:
GitHub

[MEDIUM] Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)

PKSA-m4r9-k8fn-t8bm CVE-2026-25482 GHSA-frj9-9rwc-pw9j

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0,<=5.5.1

Reported by:
GitHub