[MEDIUM] Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)

PKSA-m4r9-k8fn-t8bm CVE-2026-25482 GHSA-frj9-9rwc-pw9j

Affected package: craftcms/commerce

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0,<=5.5.1

Reported by:
GitHub