CVE-2026-29176
Craft Commerce has Stored XSS in Inventory Location Name
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3.
| CWE | CWE-79 |
| Vendor | craftcms |
| Product | commerce |
| Published | Mar 10, 2026 |
| Last Updated | Mar 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms commerce
Be the first to know when new unknown vulnerabilities affecting craftcms commerce are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
craftcms / commerce
>= 4.0.0 < 4.10.2 >= 5.0.0 < 5.5.3