CVE-2026-10769
Commerce Core - Moderately critical - Cross site scripting - SA-CONTRIB-2026-041
CVSS Score
5.4
EPSS Score
0.2%
EPSS Percentile
6th
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Commerce Core allows Stored XSS. This issue affects Commerce Core versions: from 3.3.0 to 3.3.6.
| CWE | CWE-79 |
| Vendor | drupal |
| Product | commerce core |
| Ecosystems | |
| Industries | WebMedia |
| Published | Jul 10, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for drupal commerce core
Be the first to know when new medium vulnerabilities affecting drupal commerce core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Drupal / Commerce Core
3.3.0 < 3.3.6
Credits
Brian Willows (hsjbrianwillows) Jonathan Sacksick (jsacksick) Greg Knaddison (greggles) Lee Rowlands (larowlan) Dave Long (longwave) Juraj Nemec (poker10)