Low severityNVD Advisory· Published Mar 10, 2026· Updated Mar 10, 2026
Craft Commerce has Stored XSS while updating Order Status from Orders Table
CVE-2026-29173
Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/commercePackagist | >= 4.0.0, < 4.10.2 | 4.10.2 |
craftcms/commercePackagist | >= 5.0.0, < 5.5.3 | 5.5.3 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-mqxf-2998-c6cpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29173ghsaADVISORY
- github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afaghsax_refsource_MISCWEB
- github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7bghsax_refsource_MISCWEB
- github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.