CVE-2026-29177

LOW EPSS 11.4%
Published Mar 10, 20263mo ago · Modified Jun 17, 20261w ago
1.9 CVSS 4.0
Low
Find Similar
Published Mar 10, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.

CVSS Details

Base Score
1.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
11.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 2

VendorProductVersionRange
craftcmscraft_commerce*≥4.0.0  –  <4.10.2
craftcmscraft_commerce*≥5.0.0  –  <5.5.3

References 2

  • github.com https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
    Patch
  • github.com https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
    Patch