Low severityNVD Advisory· Published Mar 10, 2026· Updated Mar 10, 2026
Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout
CVE-2026-29177
Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/commercePackagist | >= 4.0.0, < 4.10.2 | 4.10.2 |
craftcms/commercePackagist | >= 5.0.0, < 5.5.3 | 5.5.3 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-mj32-r678-7mvpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29177ghsaADVISORY
- github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68aghsax_refsource_MISCWEB
- github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.