CVE-2026-29175

Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 5.5.3

Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting issue in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields do not have proper HTML escaping, which allows an attacker to execute arbitrary JavaScript when a user views the inventory management page. This affects all users, including administrators.

Recommendations Update to version 5.5.3 or later.