Platform
php
Component
craftcms/commerce
Fixed in
4.0.1
5.0.1
4.10.2
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Craft Commerce, specifically within the order details section. This allows attackers to inject malicious JavaScript code through fields like the Shipping Method Name, Order Reference, or Site Name. When a user views the order details, the injected script executes, potentially leading to session hijacking or defacement.
The primary impact of this XSS vulnerability is the potential for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This could be leveraged to steal session cookies, redirect users to malicious websites, or modify the content displayed on the page. Successful exploitation could compromise user accounts and potentially lead to further attacks on the underlying system. The attack vector involves manipulating order details, making it possible to target specific users or groups of users who interact with the commerce platform.
This vulnerability was publicly disclosed on 2026-03-10. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of reproduction suggests a moderate risk of exploitation. It is not currently listed on CISA KEV. The CVSS score of 2.5 indicates a low severity, but the potential for user compromise warrants prompt remediation.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
The recommended mitigation is to upgrade Craft Commerce to version 4.10.2 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the Shipping Method Name, Order Reference, and Site Name fields to prevent the injection of malicious code. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Regularly review and update your Craft Commerce installation to ensure you are running the latest security patches.
Update Craft Commerce to version 4.10.2 or higher, or to version 5.5.3 or higher, as appropriate for your current version. This will fix the stored XSS vulnerability in order details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29177 is a Stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce versions up to 4.9.4, allowing malicious JavaScript injection via order details fields.
Yes, if you are using Craft Commerce version 4.9.4 or earlier, you are potentially affected by this XSS vulnerability.
Upgrade Craft Commerce to version 4.10.2 or later to resolve this vulnerability. Consider input validation as a temporary workaround.
While no active exploitation has been confirmed, the ease of reproduction suggests a potential risk.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/](https://craftcms.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.