XSS in Craftcms Commerce

CVE-2026-29176

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (1.2th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 4.0.0 < 4.10.2, >= 5.0.0 < 5.5.3

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3 (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/commit/da143df084563ddf0929d7c261bcc11d312e8004 (x_refsource_MISC)