VYPR
Low severityNVD Advisory· Published Mar 10, 2026· Updated Mar 10, 2026

Craft Commerce has Stored XSS while updating Order Status from Orders Table

CVE-2026-29173

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/commercePackagist
>= 4.0.0, < 4.10.24.10.2
craftcms/commercePackagist
>= 5.0.0, < 5.5.35.5.3

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.