CVE-2026-29173

4.8 MEDIUM
Published: March 10, 2026 Modified: March 11, 2026
View on NVD

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
Source: security-advisories@github.com
Patch
https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
Source: security-advisories@github.com
Patch
https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp
Source: security-advisories@github.com
Exploit Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.8 / 10.0
EPSS (Exploit Probability)
0.0%
1th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

craftcms

Related CVEs

CVE-2026-4508 7.3
CVE-2026-3864 6.5
CVE-2026-33476 7.5
CVE-2026-33423 N/A
CVE-2026-33422 3.5