Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
1.9

Craft Commerce: Malicious scripts can run when viewing order details

GHSA-mj32-r678-7mvp CVE-2026-29177 GHSA-mj32-r678-7mvp
Summary

A security flaw in Craft Commerce's order details page allows attackers to inject malicious code. This code can run when a user views the order details, potentially causing harm. To fix this, update to Craft Commerce 4.10.2 or 5.5.3.

What to do
  • Update craftcms commerce to version 4.10.2.
  • Update craftcms commerce to version 5.5.3.
  • Update craftcms craftcms/commerce to version 4.10.2.
  • Update craftcms craftcms/commerce to version 5.5.3.
Affected software
VendorProductAffected versionsFix available
craftcms craft_commerce > 4.0.0 , <= 4.10.2
craftcms craft_commerce > 5.0.0 , <= 5.5.3
craftcms commerce > 4.0.0 , <= 4.10.1 4.10.2
craftcms commerce > 5.0.0 , <= 5.5.2 5.5.3
craftcms craftcms/commerce > 4.0.0 , <= 4.10.2 4.10.2
craftcms craftcms/commerce > 5.0.0 , <= 5.5.3 5.5.3
Original title
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript ...
Original description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.
ghsa CVSS4.0 1.9
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026