CVE-2026-29173

UNKNOWN 0.0

Craft Commerce has Stored XSS while updating Order Status from Orders Table

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.

CWE	CWE-79
Vendor	craftcms
Product	commerce
Published	Mar 10, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms commerce

Be the first to know when new unknown vulnerabilities affecting craftcms commerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / commerce

>= 4.0.0 < 4.10.2 >= 5.0.0 < 5.5.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp github.com: https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa github.com: https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b