pkg:Packagist/craftcms/commerce

All known vulnerabilities

• —CVE-2026-32270Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments
  >= 5.0.0, < 5.6.0
• —CVE-2026-32271Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
  >= 4.0.0, < 4.10.3
• —CVE-2026-32272Craft Commerce hasVariant/hasProduct Blind SQL Injection
  >= 5.0.0, < 5.6.0
• —CVE-2026-31867Craft Commerce: Potential IDOR in Commerce carts
  >= 5.0.0, < 5.6.0
• —Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
  >= 4.0.0, < 4.10.2
• —Craft Commerce has stored XSS in Inventory Location Name
  >= 5.0.0, < 5.5.3
• —Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
  >= 5.0.0, < 5.5.3
• —Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
  >= 5.0.0, < 5.5.3
• —Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
  >= 4.0.0, < 4.10.2
• —Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
  >= 4.0.0, < 4.10.2
• —Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
  >= 5.0.0-RC1, < 5.5.2
• —Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
  >= 5.0.0-RC1, < 5.5.2
• —Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
  >= 5.0.0-RC1, < 5.5.2
• —Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
  >= 5.0.0-RC1, < 5.5.2
• —Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
  >= 5.0.0-RC1, < 5.5.2
• —Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation
  >= 5.0.0-RC1, < 5.5.2
• —Craft Commerce has Stored XSS in Product Type Name
  >= 5.0.0, < 5.5.2
• —Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration
  >= 5.0.0, < 5.5.2
• —Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
  >= 5.0.0, < 5.5.2