CVE-2026-29175

MEDIUM

Craft Commerce <5.5.3 - Stored XSS

Title source: llm

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.

References (2)

[Patch] https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624

Scores

CVSS v3 5.4

EPSS 0.0001

EPSS Percentile 1.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

craftcms/craft_commerce 5.0.0 - 5.5.3

Published Mar 10, 2026

Tracked Since Mar 11, 2026