Vulnerability Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Commerce | >= 5.0.0, < 5.5.3 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986Patch
- https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624ExploitVendor Advisory
- https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624ExploitVendor Advisory
FAQ
What is CVE-2026-29175?
CVE-2026-29175 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are ren...
How severe is CVE-2026-29175?
CVE-2026-29175 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-29175?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Commerce.