Home / Vulnerability Intelligence / CVE-2026-29177

CVE-2026-29177 - Vulnerability Analysis

MediumCVSS: 5.4

Last Updated: March 11, 2026

Craft Commerce - Stored XSS

Published: March 10, 2026Updated: March 11, 2026PoC AvailableRemote Exploitable

Overview

Craft Commerce < 4.10.2 and < 5.5.3 contains a stored cross-site scripting caused by injection of malicious JavaScript via Shipping Method Name, Order Reference, or Site Name in order details, letting attackers execute scripts when users open order details slideout, exploit requires user interaction.

Severity & Score

Severity: Medium

CVSS Score: 5.4

Impact

Attackers can execute malicious scripts in users' browsers, potentially stealing session data or performing actions on behalf of users.

Mitigation

Update to versions 4.10.2 or 5.5.3 or later.

References

https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-29177
Severity: Medium
CVSS Score: 5.4
Type: stored_xss
Status: confirmed

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N