CNNVD-202602-282 Information

CNNVD ID

CNNVD-202602-282

Related CVE

CVE-2026-25486

• CNNVD Published: 2026-02-03

Description (Chinese)

Craft Commerce是Craft CMS开源的一个电子商务平台。 Craft Commerce 5.0.0版本至5.5.1版本存在跨站脚本漏洞，该漏洞源于商店管理部分的运输方法名称字段在管理面板显示前未正确清理，可能导致存储型跨站脚本攻击。

Description (English)

Craft Commerce is an open-source e-commerce platform for Craft CMS. There is a cross-site script loophole in Craft Company versions 5.0.0 to 5.5.1, which arises from the fact that the name fields of the method of transport in the store management section were not properly cleaned up before the management panel was displayed, which could result in a storage-type cross-site script attack.

Hazard Level

High

Vulnerability Type

跨站脚本

Affected Vendor

Craft CMS

Published

2026-02-03

Last Modified

2026-02-24

References

https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/5.5.2 https://access.redhat.com/security/cve/cve-2026-25486

Patch

https://github.com/craftcms/commerce/releases