Low severityNVD Advisory· Published Mar 10, 2026· Updated Mar 10, 2026

Craft Commerce has Stored XSS while updating Order Status from Orders Table

CVE-2026-29173

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
craftcms/commercePackagist	>= 4.0.0, < 4.10.2	4.10.2
craftcms/commercePackagist	>= 5.0.0, < 5.5.3	5.5.3

Affected products

Craftcms/Commercev5
Range: >= 4.0.0 < 4.10.2

Patches

a2ea853935ef

changelog

https://github.com/craftcms/commerceBrad BellJan 14, 2026via ghsa

commit

1 file changed · +1 −2

CHANGELOG.md+1 −2 modified

@@ -2,9 +2,8 @@
 
 ## Unreleased
 
-- Fixed XSS vulnerabilities.
 - Fixed a bug where the order’s table was showing the incorrect column heading on the Edit User page.
-- Fixed a high-severity SQL injection vulnerability in the control panel. (GHSA-j3x5-mghf-xvfw)
+- Fixed two high-severity SQL injection vulnerabilities in the control panel. (GHSA-j3x5-mghf-xvfw, GHSA-pmgj-gmm4-jh6j)
 
 ## 5.5.2 - 2025-12-31

60cdc505c03b

Fix encoding

https://github.com/craftcms/commerceNathaniel HammondJan 13, 2026via ghsa

commit

1 file changed · +13 −1

src/elements/actions/UpdateOrderStatus.php+13 −1 modified

@@ -10,8 +10,10 @@
 use Craft;
 use craft\base\ElementAction;
 use craft\commerce\elements\Order;
+use craft\commerce\models\OrderStatus;
 use craft\commerce\Plugin;
 use craft\elements\db\ElementQueryInterface;
+use craft\helpers\Html;
 use craft\helpers\Json;
 
 /**
@@ -52,7 +54,17 @@ public function getTriggerLabel(): string
      */
     public function getTriggerHtml(): ?string
     {
-        $orderStatuses = Json::encode(array_values(Plugin::getInstance()->getOrderStatuses()->getAllOrderStatuses()));
+        $orderStatuses = collect(Plugin::getInstance()->getOrderStatuses()->getAllOrderStatuses())
+            ->map(function(OrderStatus $orderStatus) {
+                // Encode for output in JS
+                $orderStatus->name = Html::encode($orderStatus->name);
+                $orderStatus->color = Html::encode($orderStatus->color);
+                $orderStatus->description = Html::encode($orderStatus->description);
+
+                return $orderStatus;
+            });
+
+        $orderStatuses = Json::encode(array_values($orderStatuses->all()));
         $type = Json::encode(static::class);
 
         $js = <<<EOT

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-mqxf-2998-c6cpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-29173ghsaADVISORY
github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afaghsax_refsource_MISCWEB
github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7bghsax_refsource_MISCWEB
github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cpghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000