VYPR
Low severityNVD Advisory· Published Mar 10, 2026· Updated Mar 10, 2026

Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout

CVE-2026-29177

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/commercePackagist
>= 4.0.0, < 4.10.24.10.2
craftcms/commercePackagist
>= 5.0.0, < 5.5.35.5.3

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.