XSS in Craftcms Commerce

CVE-2026-29177

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Na…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (2.5th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 4.0.0 < 4.10.2, >= 5.0.0 < 5.5.3

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a (x_refsource_MISC)