Cross-site Scripting Vulnerability in Drupal Commerce Core
CVE-2026-10769

5.4MEDIUM

Key Information:

Vendor

Drupal

Vendor
CVE Published:
10 July 2026

What is CVE-2026-10769?

A Cross-site Scripting (XSS) vulnerability exists in Drupal Commerce Core that allows an attacker to inject malicious scripts into web pages. This flaw affects multiple versions of Commerce Core, specifically from 3.3.0 to 3.3.6, and can lead to stored XSS exploitation, enabling attackers to compromise user sessions and manipulate user interactions on affected websites.

Affected Version(s)

Commerce Core 3.3.0 < 3.3.6

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Brian Willows (hsjbrianwillows)
Jonathan Sacksick (jsacksick)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Juraj Nemec (poker10)
.