CVE-2026-29175
MEDIUMCraft Commerce 5.0.0-5.5.2 - Stored Cross-Site Scripting in Inventory Page Fields
Title source: llmDescription
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624
Scores
CVSS v3
5.4
EPSS
0.0020
EPSS Percentile
10.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (1)
craftcms/craft_commerce
5.0.0 - 5.5.3
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026