PT-2026-24419 · Pixel & Tonic · Craft Commerce
Mhe4Am
·
Published
2026-03-10
·
Updated
2026-03-10
·
CVE-2026-29177
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Craft Commerce versions prior to 4.10.2
Craft Commerce versions prior to 5.5.3
Description
Craft Commerce, an ecommerce platform for Craft CMS, contains a Stored Cross-Site Scripting (XSS) issue in the Order details section. An attacker can inject malicious JavaScript code through the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout by double-clicking on the order index page, the injected code will execute.
Recommendations
Update to Craft Commerce version 4.10.2 or later.
Update to Craft Commerce version 5.5.3 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craft Commerce