CVE-2026-29175

UNKNOWN 0.0

Multiple Stored XSS in Commerce Inventory Page Leading to Session Hijacking

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.

CWE	CWE-79
Vendor	craftcms
Product	commerce
Published	Mar 10, 2026
Last Updated	Mar 11, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms commerce

Be the first to know when new unknown vulnerabilities affecting craftcms commerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / commerce

>= 5.0.0 < 5.5.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624 github.com: https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a