{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "4.0.0" }, { "fixed": "4.10.2" }, { "introduced": "5.0.0" }, { "fixed": "5.5.3" } ] }, "events": [ { "introduced": "03fe68b8a09d05b028c510411b55af6cea6a089a" }, { "fixed": "1a8afefa20ab87fe52c1da5fe347d2549b0d358d" }, { "introduced": "266ccfd800264c4a0a7c22447112c097b0af7bae" }, { "fixed": "00debfb9b25ac0885cb0193dcb6ef4aba0c9e07e" }, { "fixed": "b0683e04773f16bba6af9df18aab495fc5dde68a" } ], "repo": "https://github.com/craftcms/commerce", "type": "GIT" } ] } ], "aliases": [ "GHSA-mj32-r678-7mvp" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29177.json" }, "details": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.", "id": "CVE-2026-29177", "modified": "2026-04-01T23:07:48.482292727Z", "published": "2026-03-10T20:01:06.968Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29177.json" }, { "type": "ADVISORY", "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29177" }, { "type": "FIX", "url": "https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "type": "CVSS_V4" } ], "summary": "Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout" }