[MEDIUM] Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

PKSA-xfj6-h72k-yknr CVE-2026-25489 GHSA-v585-mf6r-rqrc

Affected package: craftcms/commerce

Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1

Reported by:
GitHub