Skip to content

Stored XSS in Craft Commerce Order Details Slideout

Low
angrybrad published GHSA-mj32-r678-7mvp Mar 9, 2026

Package

composer craftcms/commerce (Composer)

Affected versions

>= 4.0.0 <= 4.10.1
>= 5.0.0 <= 5.5.2

Patched versions

4.10.2
5.5.3

Description

Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes.

Reproduction Steps

  1. Navigate to Commerce -> Store Management -> Shipping Methods.
  2. Click "New Shipping Method".
  3. In the Name field, enter the following XSS payload: 
    <img src=x onerror=alert('XSS_Shipping')>
  4. Save the Shipping Method.
  5. Place a new order or edit an existing order.
  6. Set the order's Shipping Method to the one created in the previous steps.
  7. Navigate to the Orders index page (/admin/commerce/orders).
  8. Double-click the target order to open the details slideout.
  9. Result: The XSS payload executes.

References

b0683e0

Severity

Low

CVE ID

CVE-2026-29177

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Credits