XSS in Craftcms Commerce

CVE-2026-29173

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without prop…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (5.1th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 4.0.0 < 4.10.2, >= 5.0.0 < 5.5.3

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa (x_refsource_MISC)
https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b (x_refsource_MISC)