Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
4.8

Craft Commerce Inventory Locations Page Allows Malicious Code Execution

GHSA-wj89-2385-gpx3 CVE-2026-29176 GHSA-wj89-2385-gpx3
Summary

A security issue in Craft Commerce's Inventory Locations page could allow an attacker to inject malicious code if an administrator or user with product editing permissions creates or edits a variant product. This could potentially harm your website or steal sensitive information. To stay safe, make sure to update to version 5.5.3 or later.

What to do
  • Update craftcms commerce to version 5.5.3.
  • Update craftcms craftcms/commerce to version 5.5.3.
Affected software
VendorProductAffected versionsFix available
craftcms craft_commerce > 5.0.0 , <= 5.5.3 –
craftcms commerce > 5.0.0 , <= 5.5.2 5.5.3
craftcms craftcms/commerce > 5.0.0 , <= 5.5.3 5.5.3
Original title
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without prop...
Original description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3.
ghsa CVSS4.0 4.8
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026