CVE-2026-29173

LOW SEVERITY

CVSS Score & Metrics

Base Score

4.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.

Vulnerability Details

Published Date

March 10, 2026

Last Modified

March 11, 2026

CWE ID

CWE-79

Source

GitHub

Vendor

composer

Product

craftcms/commerce

External References

https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp
https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
https://github.com/advisories/GHSA-mqxf-2998-c6cp

CVE-2026-29173

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment