CVE-2026-29176

Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 5.5.3

Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The issue is present in the Commerce Settings - Inventory Locations page where the Name field is not properly sanitized before being displayed, allowing an attacker to inject and execute arbitrary JavaScript code. This can be triggered when an administrator or a user with product editing permissions creates or edits a variant product.

Recommendations Update to version 5.5.3 or later.