XSS in Craftcms Commerce

CVE-2026-29175

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, all…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (2.9th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 5.0.0 < 5.5.3

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624 (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a (x_refsource_MISC)