Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-25487

created 2 months, 1 week ago

Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

References

https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh x_refsource_CONFIRM
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/4.10.1 x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/5.5.2 x_refsource_MISC
https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh x_refsource_CONFIRM
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/4.10.1 x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/5.5.2 x_refsource_MISC

Affected products

commerce

==>= 5.0.0, < 5.5.2
==>= 4.0.0-RC1, < 4.10.1

Matching in nixpkgs

pkgs.python312Packages.azure-mgmt-commerce

This is the Microsoft Azure Commerce Management Client Library

nixos-unstable 6.0.0
nixos-25.11 6.0.0

pkgs.python313Packages.azure-mgmt-commerce

This is the Microsoft Azure Commerce Management Client Library

nixos-unstable 6.0.0
- nixpkgs-unstable 6.0.0
- nixos-unstable-small 6.0.0
nixos-25.11 6.0.0

pkgs.python314Packages.azure-mgmt-commerce

This is the Microsoft Azure Commerce Management Client Library

nixos-unstable -
- nixpkgs-unstable 6.0.0
- nixos-unstable-small 6.0.0

pkgs.python312Packages.mypy-boto3-marketplacecommerceanalytics

Type annotations for boto3 marketplacecommerceanalytics

nixos-unstable boto3-marketplacecommerceanalytics-1.40.0
nixos-25.11 boto3-marketplacecommerceanalytics-1.41.0

pkgs.python313Packages.mypy-boto3-marketplacecommerceanalytics

Type annotations for boto3 marketplacecommerceanalytics

nixos-unstable boto3-marketplacecommerceanalytics-1.40.0
- nixpkgs-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixos-unstable-small boto3-marketplacecommerceanalytics-1.42.3
nixos-25.11 boto3-marketplacecommerceanalytics-1.41.0

pkgs.python314Packages.mypy-boto3-marketplacecommerceanalytics

Type annotations for boto3 marketplacecommerceanalytics

nixos-unstable -
- nixpkgs-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixos-unstable-small boto3-marketplacecommerceanalytics-1.42.3

pkgs.python312Packages.types-aiobotocore-marketplacecommerceanalytics

Type annotations for aiobotocore marketplacecommerceanalytics

nixos-unstable 2.23.2
nixos-25.11 2.25.2

pkgs.python313Packages.types-aiobotocore-marketplacecommerceanalytics

Type annotations for aiobotocore marketplacecommerceanalytics

nixos-unstable 2.23.2
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0
nixos-25.11 2.25.2

Package maintainers

@mwilsoncoding Max Wilson <nixpkgs@maxwilson.dev>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>