CVE-2026-29173

LOW EPSS 23.5%
Published Mar 10, 20263mo ago · Modified Jun 17, 20261w ago
1.9 CVSS 4.0
Low
Find Similar
Published Mar 10, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.

CVSS Details

Base Score
1.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
23.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 2

VendorProductVersionRange
craftcmscraft_commerce*≥4.0.0  –  <4.10.2
craftcmscraft_commerce*≥5.0.0  –  <5.5.3

References 3

  • github.com https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
    Patch
  • github.com https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
    Patch
  • github.com https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
    Patch
  • github.com https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
    Patch