QwikSec

Security Database

CVE

CWE

Training

CVE-2026-29173

Published: Mar 10, 2026

Modified: Mar 10, 2026

PUBLISHED

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.

Vendor	Product	Versions
craftcms	commerce	affected `>= 4.0.0 < 4.10.2` affected `>= 5.0.0 < 5.5.3`

Weaknesses (CWE)

References

https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp

x_refsource_CONFIRM

https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa

x_refsource_MISC

https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.