{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29177", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.713Z", "datePublished": "2026-03-10T20:01:06.968Z", "dateUpdated": "2026-03-10T20:12:39.344Z"}, "containers": {"cna": {"title": "Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 1.9, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp"}, {"name": "https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a"}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"version": ">= 4.0.0 < 4.10.2", "status": "affected"}, {"version": ">= 5.0.0 < 5.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:01:06.968Z"}, "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3."}], "source": {"advisory": "GHSA-mj32-r678-7mvp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29177", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T20:07:59.540355Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T20:12:39.344Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29177", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T20:07:59.540355Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T20:11:40.529Z"}}], "cna": {"title": "Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout", "source": {"advisory": "GHSA-mj32-r678-7mvp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 1.9, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"status": "affected", "version": ">= 4.0.0 < 4.10.2"}, {"status": "affected", "version": ">= 5.0.0 < 5.5.3"}]}], "references": [{"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp", "name": "https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a", "name": "https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:01:06.968Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29177", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:12:39.344Z", "dateReserved": "2026-03-04T14:44:00.713Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T20:01:06.968Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "21ABE060-9AA9-4E13-A387-89028A7D990F", "versionEndExcluding": "4.10.2", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "2690BD5E-2A88-4CDC-AAD6-DD02B96E1A46", "versionEndExcluding": "5.5.3", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3."}, {"lang": "es", "value": "Craft Commerce es una plataforma de comercio electr\u00f3nico para Craft CMS. Antes de 4.10.2 y 5.5.3, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en los detalles de pedidos de Craft Commerce. JavaScript malicioso puede ser inyectado a trav\u00e9s del Nombre del M\u00e9todo de Env\u00edo, la Referencia del Pedido o el Nombre del Sitio. Cuando un usuario abre el panel deslizante de detalles del pedido mediante un doble clic en la p\u00e1gina de \u00edndice de pedidos, la carga \u00fatil inyectada se ejecuta. Esta vulnerabilidad est\u00e1 corregida en 4.10.2 y 5.5.3."}], "id": "CVE-2026-29177", "lastModified": "2026-03-11T15:07:13.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T20:16:39.037", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.10.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.5.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "commerce", "source": "cna", "vendor": "craftcms"}, "product": "commerce", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-16T09:31:09.814146+00:00", "value": {"mitigation_remediation": ["Upgrade Craft Commerce to version 4.10.2 or later, or 5.5.3 or later to receive the vendor patch.", "If upgrading immediately is not possible, modify the template rendering the order details slideout so that the Shipping Method Name, Order Reference, and Site Name are HTML\u2011escaped before display, preventing script execution.", "Apply a Content Security Policy that blocks inline scripts and limits script sources to trusted domains, mitigating the impact of any residual injection."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) in Craft Commerce Order Details"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in Craft Commerce releases prior to version 4.10.2 and 5.5.3. Any installation running an affected version of the e\u2011commerce plugin is susceptible.", "description_and_impact": "Craft Commerce includes a stored XSS flaw in the Order Details slideout. An attacker can inject malicious JavaScript through the Shipping Method Name, Order Reference, or Site Name fields. When an authorized user opens the order details by double\u2011clicking an order in the index page, the payload is rendered and executed in that user\u2019s browser. This could lead to theft of session cookies, injection of further payloads, or unauthorized actions performed under the user\u2019s identity.", "risk_and_exploitability": "TheSS score of 1.9 indicates a low severity assessment, and the EPSS score is below 1\u202f%, suggesting a low probability of exploitation. It is not listed in CISA\u2019s KEV catalog. The attack vector is likely restricted to users with permission to view order details, making exploitation dependent on administrative credentials."}}}}, "created": "2026-03-11T11:43:05.641325+00:00", "updated": "2026-04-16T09:45:31.665196+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$commerce"]}