CVE-2026-29176

Description

## Summary A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The **Name** field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. ## Proof of Concept ### Permissions Required - General - Access the control panel - Access Craft Commerce - Craft Commerce - Manage inventory locations ### Steps to Reproduce 1. Log in to the control panel 2. Navigate to **Commerce → Inventory Locations** 3. Create or edit a location 4. Set **Name** to the following payload: ```html <img src=x onerror="alert('XSS')"> ``` 5. Save the location 6. Navigate to **Commerce → Products** and click "New Product" and click "New product variant" 7. The Inventory Location table loads, rendering the **Inventory Location Name** 8. XSS executes ## Impact - Potential Session Hijacking - Potential Database Exfiltration - Potential Account Takeover by forcing a password change on the victim’s account. - Potential Privilege escalation, or creating new admin users. ## Mitigation Sanitize the inventory location name field when rendering in the "Track Inventory" table.

How to fix CVE-2026-29176

To remediate CVE-2026-29176, upgrade the affected package to a fixed version below.

• —upgrade to 5.5.3 or later

Is CVE-2026-29176 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 5.0.0, < 5.5.3

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-29176
• PATCHgithub.com/craftcms/commerce
• WEBgithub.com/craftcms/commerce/commit/da143df084563ddf0929d7c261bcc11d312e8004
• WEBgithub.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3