[MEDIUM] Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation

PKSA-y1rc-ctkn-mgyg CVE-2026-25522 GHSA-h9r9-2pxg-cx9m

Affected package: craftcms/commerce

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1

Reported by:
GitHub