CVE-2026-29173 - Vulnerability Analysis
MediumCVSS: 4.8Last Updated: March 11, 2026
Craft Commerce - Stored XSS
Published: March 10, 2026Updated: March 11, 2026PoC AvailableRemote Exploitable
Overview
Craft Commerce < 4.10.2 and < 5.5.3 contains a stored XSS caused by improper escaping of Order Status Name in Commerce Orders Table, letting attackers execute scripts, exploit requires user to update order status.
Severity & Score
Severity: Medium
CVSS Score: 4.8
Impact
Attackers can execute scripts in users' browsers, potentially stealing session data or performing actions on behalf of users.
Mitigation
Update to versions 4.10.2 or 5.5.3 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-29173
- Severity
- Medium
- CVSS Score
- 4.8
- Type
- stored_xss
- Status
- confirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N