Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-25484

created 2 months, 1 week ago

Craft Commerce has Stored XSS in Product Type Name

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.

References

https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c x_refsource_CONFIRM
https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/4.10.1 x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/5.5.2 x_refsource_MISC
https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c x_refsource_CONFIRM
https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/4.10.1 x_refsource_MISC
https://github.com/craftcms/commerce/releases/tag/5.5.2 x_refsource_MISC

Affected products

commerce

==>= 4.0.0-RC1, < 4.10.1
==>= 5.0.0, < 5.5.2

Matching in nixpkgs

pkgs.python312Packages.azure-mgmt-commerce

This is the Microsoft Azure Commerce Management Client Library

nixos-unstable 6.0.0
nixos-25.11 6.0.0

pkgs.python313Packages.azure-mgmt-commerce

This is the Microsoft Azure Commerce Management Client Library

nixos-unstable 6.0.0
- nixpkgs-unstable 6.0.0
- nixos-unstable-small 6.0.0
nixos-25.11 6.0.0

pkgs.python314Packages.azure-mgmt-commerce

This is the Microsoft Azure Commerce Management Client Library

nixos-unstable -
- nixpkgs-unstable 6.0.0
- nixos-unstable-small 6.0.0

pkgs.python312Packages.mypy-boto3-marketplacecommerceanalytics

Type annotations for boto3 marketplacecommerceanalytics

nixos-unstable boto3-marketplacecommerceanalytics-1.40.0
nixos-25.11 boto3-marketplacecommerceanalytics-1.41.0

pkgs.python313Packages.mypy-boto3-marketplacecommerceanalytics

Type annotations for boto3 marketplacecommerceanalytics

nixos-unstable boto3-marketplacecommerceanalytics-1.40.0
- nixpkgs-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixos-unstable-small boto3-marketplacecommerceanalytics-1.42.3
nixos-25.11 boto3-marketplacecommerceanalytics-1.41.0

pkgs.python314Packages.mypy-boto3-marketplacecommerceanalytics

Type annotations for boto3 marketplacecommerceanalytics

nixos-unstable -
- nixpkgs-unstable boto3-marketplacecommerceanalytics-1.42.3
- nixos-unstable-small boto3-marketplacecommerceanalytics-1.42.3

pkgs.python312Packages.types-aiobotocore-marketplacecommerceanalytics

Type annotations for aiobotocore marketplacecommerceanalytics

nixos-unstable 2.23.2
nixos-25.11 2.25.2

pkgs.python313Packages.types-aiobotocore-marketplacecommerceanalytics

Type annotations for aiobotocore marketplacecommerceanalytics

nixos-unstable 2.23.2
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0
nixos-25.11 2.25.2

Package maintainers

@mwilsoncoding Max Wilson <nixpkgs@maxwilson.dev>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>