PT-2026-24640 · Packagist · Craftcms/Commerce
Published
2026-03-10
·
Updated
2026-03-10
CVSS v4.0
4.8
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript.
This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product.
Proof of Concept
Permissions Required
-
General
- Access the control panel
- Access Craft Commerce
-
Craft Commerce
- Manage inventory locations
Steps to Reproduce
- Log in to the control panel
- Navigate to Commerce → Inventory Locations
- Create or edit a location
- Set Name to the following payload:
<img src=x onerror="alert('XSS')">- Save the location
- Navigate to Commerce → Products and click "New Product" and click "New product variant"
- The Inventory Location table loads, rendering the Inventory Location Name
- XSS executes
Impact
- Potential Session Hijacking
- Potential Database Exfiltration
- Potential Account Takeover by forcing a password change on the victim’s account.
- Potential Privilege escalation, or creating new admin users.
Mitigation
Sanitize the inventory location name field when rendering in the "Track Inventory" table.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craftcms/Commerce