Platform
php
Component
craftcms/commerce
Fixed in
4.0.1
5.0.1
4.10.2
A stored Cross-Site Scripting (XSS) vulnerability has been identified in Craft Commerce, specifically within the Order Status management section. This flaw allows an attacker to inject malicious scripts when updating the Order Status Name, potentially leading to unauthorized actions or data theft. The vulnerability affects versions of Craft Commerce up to 4.9.4, and a fix is available in version 4.10.2.
Successful exploitation of CVE-2026-29173 allows an attacker to execute arbitrary JavaScript code in the context of an administrator's session. This could lead to account takeover, data exfiltration (including sensitive customer information), and defacement of the Commerce site. The impact is particularly severe as it targets administrative accounts, granting attackers a high level of control over the entire e-commerce platform. The attack leverages the lack of proper output encoding when rendering the Order Status Name, a common XSS vector. While the CVSS score is LOW, the potential for significant damage to the business and customer trust warrants immediate attention.
This vulnerability was publicly disclosed on 2026-03-10. A proof-of-concept (POC) demonstrating the XSS vulnerability is readily available. As of this writing, there are no reports of active exploitation campaigns targeting CVE-2026-29173, but the ease of exploitation and the potential impact warrant close monitoring. The vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
The primary mitigation for CVE-2026-29173 is to upgrade Craft Commerce to version 4.10.2 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the Order Status Name field to prevent malicious script injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the Commerce Orders Table can provide an additional layer of protection. Regularly review and sanitize all user-supplied input to minimize the risk of XSS vulnerabilities.
Actualice Craft Commerce a la versión 4.10.2 o superior si está utilizando la serie 4.x, o a la versión 5.5.3 o superior si está utilizando la serie 5.x. Esto corregirá la vulnerabilidad XSS almacenada al actualizar el estado del pedido desde la tabla de pedidos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29173 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce affecting versions up to 4.9.4. It allows attackers to inject malicious scripts via Order Status Names.
You are affected if you are using Craft Commerce versions 4.9.4 or earlier. Upgrade to 4.10.2 to mitigate the risk.
Upgrade Craft Commerce to version 4.10.2 or later. Implement input validation and output encoding as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability is easily exploitable and should be addressed promptly.
Refer to the official Craft CMS security advisory for details and updates: [https://craftcms.com/security/](https://craftcms.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.