Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-25483

created 2 months, 1 week ago

Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.

References

https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 x_refsource_CONFIRM
https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/4.10.1 x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/5.5.2 x_refsource_MISC
https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 x_refsource_CONFIRM
https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/4.10.1 x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/5.5.2 x_refsource_MISC

Affected products

commerce

==>= 5.0.0, < 5.5.2
==>= 4.0.0-RC1, < 4.10.1

Matching in nixpkgs

pkgs.python312Packages.azure-mgmt-commerce

This is the Microsoft Azure Commerce Management Client Library

nixos-unstable 6.0.0
nixos-25.11 6.0.0

pkgs.python313Packages.azure-mgmt-commerce

This is the Microsoft Azure Commerce Management Client Library

nixos-unstable 6.0.0
- nixpkgs-unstable 6.0.0
- nixos-unstable-small 6.0.0
nixos-25.11 6.0.0

pkgs.python314Packages.azure-mgmt-commerce

This is the Microsoft Azure Commerce Management Client Library

nixos-unstable -
- nixpkgs-unstable 6.0.0
- nixos-unstable-small 6.0.0

pkgs.python312Packages.mypy-boto3-marketplacecommerceanalytics

Type annotations for boto3 marketplacecommerceanalytics

nixos-unstable boto3-marketplacecommerceanalytics-1.40.0
nixos-25.11 boto3-marketplacecommerceanalytics-1.41.0

pkgs.python313Packages.mypy-boto3-marketplacecommerceanalytics

Type annotations for boto3 marketplacecommerceanalytics

nixos-unstable boto3-marketplacecommerceanalytics-1.40.0
- nixpkgs-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixos-unstable-small boto3-marketplacecommerceanalytics-1.42.3
nixos-25.11 boto3-marketplacecommerceanalytics-1.41.0

pkgs.python314Packages.mypy-boto3-marketplacecommerceanalytics

Type annotations for boto3 marketplacecommerceanalytics

nixos-unstable -
- nixpkgs-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixos-unstable-small boto3-marketplacecommerceanalytics-1.42.3

pkgs.python312Packages.types-aiobotocore-marketplacecommerceanalytics

Type annotations for aiobotocore marketplacecommerceanalytics

nixos-unstable 2.23.2
nixos-25.11 2.25.2

pkgs.python313Packages.types-aiobotocore-marketplacecommerceanalytics

Type annotations for aiobotocore marketplacecommerceanalytics

nixos-unstable 2.23.2
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0
nixos-25.11 2.25.2

Package maintainers

@mwilsoncoding Max Wilson <nixpkgs@maxwilson.dev>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>