Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: python312Packages.azure-mgmt-commerce

Found 19 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-25485
created 2 months, 1 week ago
Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-25484
created 2 months, 1 week ago
Craft Commerce has Stored XSS in Product Type Name

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 4.0.0-RC1, < 4.10.1
  • ==>= 5.0.0, < 5.5.2

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-25489
created 2 months, 1 week ago
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-25522
created 2 months, 1 week ago
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-25486
created 2 months, 1 week ago
Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-25488
created 2 months, 1 week ago
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-25482
created 2 months, 1 week ago
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-25487
created 2 months, 1 week ago
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-25483
created 2 months, 1 week ago
Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1

Matching in nixpkgs

Package maintainers