CVE-2026-29177

EUVD-2026-10823

10.03.2026, 20:16

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
craftcms	craft_commerce	4.0.0 ≤ 𝑥 < 4.10.2
craftcms	craft_commerce	5.0.0 ≤ 𝑥 < 5.5.3

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a

https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp