Publish Advisories

GHSA-h9r9-2pxg-cx9m
GHSA-jg68-vhv3-9r8f
GHSA-rxrv-835q-v5mh

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-h9r9-2pxg-cx9m/GHSA-h9r9-2pxg-cx9m.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h9r9-2pxg-cx9m",
-  "modified": "2026-02-02T23:04:00Z",
+  "modified": "2026-02-03T16:26:16Z",
   "published": "2026-02-02T23:04:00Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-25522"
+  ],
   "summary": "Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation",
   "details": "## Summary\nA stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the **Store Management** section are not properly sanitized before being displayed in the admin panel.\n\n---\n## Proof of Concept\n\n### Requirments\n- General permissions:\n\t- Access the control panel\n\t- Access Craft Commerce\n- Craft Commerce permissions:\n\t- Manage store settings\n\t- Manage shipping\n- An active administrator elevated session\n\n### Steps to Reproduce\n\n1. Log in to the Admin Panel with the attacker account with the permissions mentioned above.\n2. Navigate to **Commerce** -> **Store Management** -> **Shipping Zones** (`/admin/commerce/store-management/primary/shippingzones`).\n3. Create a new shipping zone.\n4. In the **Name** field, enter the following payload:\n```html\n<img src=x onerror=\"alert(document.domain)\">\n```\n4. Click **Save** & Go back to the previous page.\n5. Notice the alert proving JavaScript execution.\n\n\n### Privilege Escalation to Administrator:\n1. Do the same steps above, but replace the payload with a malicious one.\n2. The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the `<UserID>` with the attacker id:\n```html\n<img src=x onerror=\"fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})\">\n```\n3. In another browser, log in as an admin & go to the vulnerable page (shipping zones page).\n4. Go back to the attacker account & notice it is now an admin.\n\nThe privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack.\n\nOr even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it’s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.\n\n### Resources:\n\nhttps://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-jg68-vhv3-9r8f/GHSA-jg68-vhv3-9r8f.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jg68-vhv3-9r8f",
-  "modified": "2026-02-02T23:12:57Z",
+  "modified": "2026-02-03T16:26:20Z",
   "published": "2026-02-02T23:12:57Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-25523"
+  ],
   "summary": "Magento's X-Original-Url header can expose admin url",
   "details": "### Impact\n\nThe admin url can be discovered without prior knowledge of its location by exploiting the X-Original-Url header on some configurations.\n\n### Patches\n\nThe bug comes from the Zend library.\n\n### Workarounds\n\nUnset the X-Original-Url header in the web server configuration.\n\n### Resources\n\nhttps://hackerone.com/bugs?subject=openmage&report_id=3416312\n\nUpon deeper investigation, it was initially not found, but then it was realized that the search excluded the vendor/ directory. This is coming from the Zend_Controller module. Here is another tip from 2016 - it is surprising that this was not somehow patched already!\n\nhttps://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..)\n\n### Credit\n\nAnees Hyder (anees0x_dev) on HackerOne\nhttps://hackerone.com/anees0x_dev/hacktivity?type=user",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-rxrv-835q-v5mh/GHSA-rxrv-835q-v5mh.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rxrv-835q-v5mh",
-  "modified": "2026-02-02T22:21:54Z",
+  "modified": "2026-02-03T16:26:13Z",
   "published": "2026-02-02T22:21:54Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-25521"
+  ],
   "summary": "locutus is vulnerable to Prototype Pollution",
   "details": "### Summary\nA Prototype Pollution vulnerability exists in the the npm package locutus (>2.0.12). Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue was fixed in version 2.0.39.\n\n### Details\nThe vulnerability resides in line 77 to 79 of https://github.com/locutusjs/locutus/blob/main/src/php/strings/parse_str.js where includes() function is used to check whether user provided input contain forbidden strings.\n\n### PoC\n\n#### Steps to reproduce\n1. Install latest version of locutus using npm install or cloning from git\n2. Run the following code snippet:\n\n```javascript\nString.prototype.includes = () => false;      \nconsole.log({}.polluted);\nconst locutus = require('locutus');\nlocutus.php.strings.parse_str('constructor[prototype][polluted]=yes');\nconsole.log({}.polluted);  // prints yes -> indicating that the patch was bypassed and Prototype Pollution occurred\n```\n\n#### Expected behavior\nPrototype Pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\nObject.prototype is polluted\nThis is printed on the console:\n```\nundefined \nyes\n```\n\n### Impact\nThis is a Prototype Pollution vulnerability, which can have severe security implications depending on how locutus is used by downstream applications. Any application that processes attacker-controlled input using this `locutus.php.strings.parse_str` may be affected. It could potentially lead to the following problems:\n1. Authentication bypass\n2. Denial of service\n3. Remote code execution (if polluted property is passed to sinks like eval or child_process)",
   "severity": [