Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
Craft Commerce Ecommerce Platform: Malicious Code Injection Risk
GHSA-cfpv-rmpf-f624
CVE-2026-29175
GHSA-cfpv-rmpf-f624
Summary
An attacker can inject malicious code into the Craft Commerce inventory management page, potentially affecting administrators and other users. This can lead to unauthorized actions on the site, compromising security and confidentiality. Update to Craft Commerce version 5.5.3 or later to resolve this issue.
What to do
- Update craftcms commerce to version 5.5.3.
- Update craftcms craftcms/commerce to version 5.5.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| craftcms | craft_commerce | > 5.0.0 , <= 5.5.3 | – |
| craftcms | commerce | > 5.0.0 , <= 5.5.2 | 5.5.3 |
| craftcms | craftcms/commerce | > 5.0.0 , <= 5.5.3 | 5.5.3 |
Original title
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are ...
Original description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.
ghsa CVSS4.0
8.6
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624
- https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986...
- https://github.com/advisories/GHSA-cfpv-rmpf-f624
- https://github.com/craftcms/commerce Product
- https://nvd.nist.gov/vuln/detail/CVE-2026-29175
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026