Home

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.

PUBLISHED Reserved 2026-03-04 | Published 2026-03-10 | Updated 2026-03-11 | Assigner GitHub_M




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 5.0.0 < 5.5.3
affected

References

github.com/...mmerce/security/advisories/GHSA-cfpv-rmpf-f624 exploit

github.com/...mmerce/security/advisories/GHSA-cfpv-rmpf-f624

github.com/...ommit/9f0638a4fb29ed8295a463385a7cc49ec986e33a

cve.org (CVE-2026-29175)

nvd.nist.gov (CVE-2026-29175)

Download JSON