Packagist (Composer) package
craftcms/commerce
pkg:composer/craftcms/commerce
Vulnerabilities (19)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32272 | Hig | — | >= 5.0.0, < 5.6.0 | 5.6.0 | Apr 13, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a | |
| CVE-2026-32271 | Hig | — | >= 4.0.0, < 4.10.3 | 4.10.3 | Apr 13, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through | |
| CVE-2026-32270 | Low | — | >= 5.0.0, < 5.6.0 | 5.6.0 | Apr 13, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous pay | |
| CVE-2026-31867 | — | >= 5.0.0, < 5.6.0 | 5.6.0 | Mar 11, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. T | ||
| CVE-2026-29177 | — | >= 4.0.0, < 4.10.2 | 4.10.2 | Mar 10, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a | ||
| CVE-2026-29176 | — | >= 5.0.0, < 5.5.3 | 5.5.3 | Mar 10, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS tr | ||
| CVE-2026-29175 | — | >= 5.0.0, < 5.5.3 | 5.5.3 | Mar 10, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary Ja | ||
| CVE-2026-29174 | — | >= 5.0.0, < 5.5.3 | 5.5.3 | Mar 10, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without | ||
| CVE-2026-29173 | — | >= 4.0.0, < 4.10.2 | 4.10.2 | Mar 10, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to | ||
| CVE-2026-29172 | — | >= 4.0.0, < 4.10.2 | 4.10.2 | Mar 10, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() wi | ||
| CVE-2026-25522 | — | >= 5.0.0-RC1, < 5.5.2 | 5.5.2 | Feb 3, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone | ||
| CVE-2026-25490 | — | >= 5.0.0-RC1, < 5.5.2 | 5.5.2 | Feb 3, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line | ||
| CVE-2026-25489 | — | >= 5.0.0-RC1, < 5.5.2 | 5.5.2 | Feb 3, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Descrip | ||
| CVE-2026-25488 | — | >= 5.0.0-RC1, < 5.5.2 | 5.5.2 | Feb 3, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories | ||
| CVE-2026-25487 | — | >= 5.0.0-RC1, < 5.5.2 | 5.5.2 | Feb 3, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Nam | ||
| CVE-2026-25486 | — | >= 5.0.0-RC1, < 5.5.2 | 5.5.2 | Feb 3, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Manage | ||
| CVE-2026-25484 | — | >= 5.0.0, < 5.5.2 | 5.5.2 | Feb 3, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce ( | ||
| CVE-2026-25483 | — | >= 5.0.0, < 5.5.2 | 5.5.2 | Feb 3, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling | ||
| CVE-2026-25482 | — | >= 5.0.0, < 5.5.2 | 5.5.2 | Feb 3, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper |
- affected >= 5.0.0, < 5.6.0fixed 5.6.0
Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a
- affected >= 4.0.0, < 4.10.3fixed 4.10.3
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through
- affected >= 5.0.0, < 5.6.0fixed 5.6.0
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous pay
- CVE-2026-31867Mar 11, 2026affected >= 5.0.0, < 5.6.0fixed 5.6.0
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. T
- CVE-2026-29177Mar 10, 2026affected >= 4.0.0, < 4.10.2fixed 4.10.2
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a
- CVE-2026-29176Mar 10, 2026affected >= 5.0.0, < 5.5.3fixed 5.5.3
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS tr
- CVE-2026-29175Mar 10, 2026affected >= 5.0.0, < 5.5.3fixed 5.5.3
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary Ja
- CVE-2026-29174Mar 10, 2026affected >= 5.0.0, < 5.5.3fixed 5.5.3
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without
- CVE-2026-29173Mar 10, 2026affected >= 4.0.0, < 4.10.2fixed 4.10.2
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to
- CVE-2026-29172Mar 10, 2026affected >= 4.0.0, < 4.10.2fixed 4.10.2
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() wi
- CVE-2026-25522Feb 3, 2026affected >= 5.0.0-RC1, < 5.5.2fixed 5.5.2
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone
- CVE-2026-25490Feb 3, 2026affected >= 5.0.0-RC1, < 5.5.2fixed 5.5.2
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line
- CVE-2026-25489Feb 3, 2026affected >= 5.0.0-RC1, < 5.5.2fixed 5.5.2
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Descrip
- CVE-2026-25488Feb 3, 2026affected >= 5.0.0-RC1, < 5.5.2fixed 5.5.2
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories
- CVE-2026-25487Feb 3, 2026affected >= 5.0.0-RC1, < 5.5.2fixed 5.5.2
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Nam
- CVE-2026-25486Feb 3, 2026affected >= 5.0.0-RC1, < 5.5.2fixed 5.5.2
Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Manage
- CVE-2026-25484Feb 3, 2026affected >= 5.0.0, < 5.5.2fixed 5.5.2
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (
- CVE-2026-25483Feb 3, 2026affected >= 5.0.0, < 5.5.2fixed 5.5.2
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling
- CVE-2026-25482Feb 3, 2026affected >= 5.0.0, < 5.5.2fixed 5.5.2
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper