CVE-2026-29177 in Commerce
Summary
by MITRE • 03/11/2026
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability identified as CVE-2026-29177 represents a critical stored cross-site scripting flaw within Craft Commerce, an ecommerce platform built for Craft CMS. This security weakness affects versions prior to 4.10.2 and 5.5.3, creating a persistent threat vector that can be exploited by attackers to inject malicious JavaScript code into order details. The vulnerability specifically targets three data fields within the order management interface including the Shipping Method Name, Order Reference, and Site Name, which are all susceptible to malicious input injection. The flaw demonstrates a classic stored XSS pattern where user-supplied data is not properly sanitized or escaped before being rendered back to users, creating an environment where persistent malicious scripts can be executed against unsuspecting users.
The technical exploitation of this vulnerability occurs through a specific user interaction pattern within the Craft Commerce interface. Attackers can inject malicious JavaScript code into the vulnerable fields mentioned above, which then gets stored within the system's database. When legitimate users subsequently access the order details by double-clicking on orders within the order index page, the stored payload executes within their browser context. This execution model creates a particularly dangerous scenario because the malicious code runs in the context of the authenticated user's session, potentially allowing attackers to perform actions with the user's privileges. The vulnerability's impact is amplified by the fact that it requires minimal user interaction beyond the standard double-click operation, making it highly exploitable in real-world scenarios.
The operational impact of this vulnerability extends beyond simple script execution to encompass potential data theft, session hijacking, and privilege escalation within the Craft Commerce platform. Users who access affected order details could unknowingly have their browser sessions compromised, potentially leading to unauthorized access to sensitive customer data, order information, and financial details. The vulnerability's persistence through stored data means that once injected, malicious payloads continue to execute for all users who view the affected order details until the system is updated with the security patches. This creates an ongoing risk that can persist long after the initial injection occurs, making the vulnerability particularly dangerous for e-commerce environments where order data is frequently accessed and manipulated. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and represents a clear violation of secure input validation practices.
Organizations utilizing Craft Commerce must implement immediate mitigation strategies while preparing for the mandatory version upgrades to 4.10.2 or 5.5.3. The recommended approach involves implementing comprehensive input sanitization and output encoding mechanisms for all user-supplied data within the affected fields. Security teams should also consider implementing web application firewalls with XSS detection capabilities as an additional protective layer. The vulnerability's characteristics make it particularly susceptible to automated exploitation, as attackers can craft payloads that will execute automatically when users interact with order details. From an ATT&CK framework perspective, this vulnerability maps to techniques involving client-side exploitation and credential access, with potential for privilege escalation if the compromised user has elevated permissions within the Craft Commerce system. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other components of the ecommerce platform, as this flaw demonstrates the importance of comprehensive input validation across all user-facing interfaces within web applications.