CVE-2026-29173: XSS in Craft Commerce
Platform
php
Component
craftcms/commerce
Fixed in
4.0.1
5.0.1
4.10.2
A stored Cross-Site Scripting (XSS) vulnerability has been identified in Craft Commerce, specifically within the Order Status management section. This flaw allows an attacker to inject malicious scripts when updating the Order Status Name, potentially leading to unauthorized actions or data theft. The vulnerability affects versions of Craft Commerce up to 4.9.4, and a fix is available in version 4.10.2.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-29173 allows an attacker to execute arbitrary JavaScript code in the context of an administrator's session. This could lead to account takeover, data exfiltration (including sensitive customer information), and defacement of the Commerce site. The impact is particularly severe as it targets administrative accounts, granting attackers a high level of control over the entire e-commerce platform. The attack leverages the lack of proper output encoding when rendering the Order Status Name, a common XSS vector. While the CVSS score is LOW, the potential for significant damage to the business and customer trust warrants immediate attention.
Exploitation Context
This vulnerability was publicly disclosed on 2026-03-10. A proof-of-concept (POC) demonstrating the XSS vulnerability is readily available. As of this writing, there are no reports of active exploitation campaigns targeting CVE-2026-29173, but the ease of exploitation and the potential impact warrant close monitoring. The vulnerability is not currently listed on CISA KEV.
Threat Intelligence
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
Affected Software
Package Information
- Last updated
- 5.6.5recently
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-29173 is to upgrade Craft Commerce to version 4.10.2 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the Order Status Name field to prevent malicious script injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the Commerce Orders Table can provide an additional layer of protection. Regularly review and sanitize all user-supplied input to minimize the risk of XSS vulnerabilities.
How to fix
Actualice Craft Commerce a la versión 4.10.2 o superior si está utilizando la serie 4.x, o a la versión 5.5.3 o superior si está utilizando la serie 5.x. Esto corregirá la vulnerabilidad XSS almacenada al actualizar el estado del pedido desde la tabla de pedidos.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-29173 — XSS in Craft Commerce?
CVE-2026-29173 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce affecting versions up to 4.9.4. It allows attackers to inject malicious scripts via Order Status Names.
Am I affected by CVE-2026-29173 in Craft Commerce?
You are affected if you are using Craft Commerce versions 4.9.4 or earlier. Upgrade to 4.10.2 to mitigate the risk.
How do I fix CVE-2026-29173 in Craft Commerce?
Upgrade Craft Commerce to version 4.10.2 or later. Implement input validation and output encoding as a temporary workaround.
Is CVE-2026-29173 being actively exploited?
There are currently no confirmed reports of active exploitation, but the vulnerability is easily exploitable and should be addressed promptly.
Where can I find the official Craft CMS advisory for CVE-2026-29173?
Refer to the official Craft CMS security advisory for details and updates: [https://craftcms.com/security/](https://craftcms.com/security/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.