Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
1.9

Craft Commerce: Stored XSS in Order Status Updates

GHSA-mqxf-2998-c6cp CVE-2026-29173 GHSA-mqxf-2998-c6cp
Summary

An attacker could inject malicious code into the Order Status field, potentially allowing them to take control of the website. This is a serious issue for online stores using Craft Commerce. Update to version 4.10.2 or 5.5.3 to fix the problem.

What to do
  • Update craftcms commerce to version 4.10.2.
  • Update craftcms commerce to version 5.5.3.
  • Update craftcms craftcms/commerce to version 4.10.2.
  • Update craftcms craftcms/commerce to version 5.5.3.
Affected software
VendorProductAffected versionsFix available
craftcms craft_commerce > 4.0.0 , <= 4.10.2
craftcms craft_commerce > 5.0.0 , <= 5.5.3
craftcms commerce > 4.0.0 , <= 4.10.1 4.10.2
craftcms commerce > 5.0.0 , <= 5.5.2 5.5.3
craftcms craftcms/commerce > 4.0.0 , <= 4.10.2 4.10.2
craftcms craftcms/commerce > 5.0.0 , <= 5.5.3 5.5.3
Original title
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The ...
Original description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026