4.8
CVE-2026-29173
- EPSS 0.32%
- Veröffentlicht 10.03.2026 19:54:25
- Zuletzt bearbeitet 11.03.2026 16:55:37
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginCraft Commerce has Stored XSS while updating Order Status from Orders Table
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Craftcms ≫ Craft Commerce SwPlatformcraft_cms Version >= 4.0.0 < 4.10.2
Craftcms ≫ Craft Commerce SwPlatformcraft_cms Version >= 5.0.0 < 5.5.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.32% | 0.233 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.7 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 1.9 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp
https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b