The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS).

This vulnerability is mitigated by the fact that it only affects installations with Checkout (commerce checkout) enabled, and the "Comments" checkout pane (id: customer comments) is explicitly used, which is disabled by default.