Stored Cross-Site Scripting Vulnerability in Craft Commerce by Craft CMS
CVE-2026-29177

1.9LOW

Key Information:

Vendor: Craftcms
Status: Commerce
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-29177?

Craft Commerce, an ecommerce platform built for Craft CMS, is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. This security issue allows attackers to inject malicious JavaScript through fields such as Shipping Method Name, Order Reference, or Site Name. When a user accesses order details via the order index page, the injected script executes, posing significant security risks. The vulnerability has been addressed in versions 4.10.2 and 5.5.3.

Affected Version(s)

commerce >= 4.0.0 < 4.10.2 < 4.0.0 4.10.2

commerce >= 5.0.0 < 5.5.3 < 5.0.0 5.5.3

References

https://github.com/craftcms/commerce/security/advisories/...

x_refsource_CONFIRM

https://github.com/craftcms/commerce/commit/b0683e04773f1...

x_refsource_MISC

CVSS V4

Score:

1.9

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29177 Data

JSON

Craftcms

What is CVE-2026-29177?

Affected Version(s)

References

CVSS V4

Timeline