Home / Vulnerability Intelligence / CVE-2026-29175

CVE-2026-29175 - Vulnerability Analysis

MediumCVSS: 5.4

Last Updated: March 11, 2026

Craft Commerce - Stored XSS

Published: March 10, 2026Updated: March 11, 2026PoC AvailableRemote Exploitable

Overview

Craft Commerce < 5.5.3 contains a stored XSS caused by improper HTML escaping in Product Title, Variant Title, and Variant SKU fields on the Commerce Inventory page, letting attackers execute arbitrary JavaScript when viewed by any user.

Severity & Score

Severity: Medium

CVSS Score: 5.4

Impact

Attackers can execute arbitrary JavaScript in the context of users viewing the inventory page, potentially leading to session hijacking or other malicious actions.

Mitigation

Upgrade to version 5.5.3 or later.

References

https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a
https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-29175
Severity: Medium
CVSS Score: 5.4
Type: stored_xss
Status: confirmed

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N