CVE-2026-29177
Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
Description
## Summary A Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the **Shipping Method Name**, **Order Reference**, or **Site Name**. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. ## Reproduction Steps 1. Navigate to **Commerce** -> **Store Management** -> **Shipping Methods**. 1. Click "New Shipping Method". 1. In the **Name** field, enter the following XSS payload: ```html <img src=x onerror=alert('XSS_Shipping')> ``` 1. Save the Shipping Method. 1. Place a new order or edit an existing order. 1. Set the order's **Shipping Method** to the one created in the previous steps. 1. Navigate to the **Orders** index page (`/admin/commerce/orders`). 1. Double-click the target order to open the details slideout. 1. **Result**: The XSS payload executes.
How to fix CVE-2026-29177
To remediate CVE-2026-29177, upgrade the affected package to a fixed version below.
- —upgrade to 4.10.2 or later
Is CVE-2026-29177 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0, < 4.10.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |