Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/craftcms/commerce@4.8.1.2
Typecomposer
Namespacecraftcms
Namecommerce
Version4.8.1.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.11.0
Latest_non_vulnerable_version5.6.0
Affected_by_vulnerabilities
0
url VCID-1fpe-utun-2bhp
vulnerability_id VCID-1fpe-utun-2bhp
summary Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25488
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07525
published_at 2026-06-12T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.0751
published_at 2026-06-14T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07518
published_at 2026-06-13T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07492
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25488
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id 4.10.1
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
3
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id 5.5.2
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25488
reference_id CVE-2026-25488
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25488
5
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id fa273330807807d05b564d37c88654cd772839ee
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
6
reference_url https://github.com/advisories/GHSA-p6w8-q63m-72c8
reference_id GHSA-p6w8-q63m-72c8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p6w8-q63m-72c8
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8
reference_id GHSA-p6w8-q63m-72c8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.1
purl pkg:composer/craftcms/commerce@4.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7mwe-pr8b-27b9
1
vulnerability VCID-8wtv-3a2u-efhn
2
vulnerability VCID-97wt-uzgd-j7cy
3
vulnerability VCID-dnc5-bagp-wfgm
4
vulnerability VCID-gym5-pp2y-y3ed
5
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1
1
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6ut7-kdwm-zubh
1
vulnerability VCID-7mwe-pr8b-27b9
2
vulnerability VCID-8wtv-3a2u-efhn
3
vulnerability VCID-97wt-uzgd-j7cy
4
vulnerability VCID-dnc5-bagp-wfgm
5
vulnerability VCID-gym5-pp2y-y3ed
6
vulnerability VCID-ke4n-z9fq-87ea
7
vulnerability VCID-nd31-ykw5-rqbt
8
vulnerability VCID-wk8c-81g9-juh9
9
vulnerability VCID-y7ud-n1vc-ckc5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25488, GHSA-p6w8-q63m-72c8
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1fpe-utun-2bhp
1
url VCID-3aau-58kb-23c2
vulnerability_id VCID-3aau-58kb-23c2
summary Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25522
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.10383
published_at 2026-06-12T12:55:00Z
1
value 0.00034
scoring_system epss
scoring_elements 0.10363
published_at 2026-06-14T12:55:00Z
2
value 0.00034
scoring_system epss
scoring_elements 0.10387
published_at 2026-06-13T12:55:00Z
3
value 0.00034
scoring_system epss
scoring_elements 0.10332
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25522
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id 4.10.1
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
3
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id 5.5.2
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25522
reference_id CVE-2026-25522
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25522
5
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id fa273330807807d05b564d37c88654cd772839ee
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
6
reference_url https://github.com/advisories/GHSA-h9r9-2pxg-cx9m
reference_id GHSA-h9r9-2pxg-cx9m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h9r9-2pxg-cx9m
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m
reference_id GHSA-h9r9-2pxg-cx9m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.1
purl pkg:composer/craftcms/commerce@4.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7mwe-pr8b-27b9
1
vulnerability VCID-8wtv-3a2u-efhn
2
vulnerability VCID-97wt-uzgd-j7cy
3
vulnerability VCID-dnc5-bagp-wfgm
4
vulnerability VCID-gym5-pp2y-y3ed
5
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1
1
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6ut7-kdwm-zubh
1
vulnerability VCID-7mwe-pr8b-27b9
2
vulnerability VCID-8wtv-3a2u-efhn
3
vulnerability VCID-97wt-uzgd-j7cy
4
vulnerability VCID-dnc5-bagp-wfgm
5
vulnerability VCID-gym5-pp2y-y3ed
6
vulnerability VCID-ke4n-z9fq-87ea
7
vulnerability VCID-nd31-ykw5-rqbt
8
vulnerability VCID-wk8c-81g9-juh9
9
vulnerability VCID-y7ud-n1vc-ckc5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25522, GHSA-h9r9-2pxg-cx9m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3aau-58kb-23c2
2
url VCID-3tvs-zkkk-q3dn
vulnerability_id VCID-3tvs-zkkk-q3dn
summary Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25490
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07525
published_at 2026-06-12T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.0751
published_at 2026-06-14T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07518
published_at 2026-06-13T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07492
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25490
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id 4.10.1
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
3
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id 5.5.2
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25490
reference_id CVE-2026-25490
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25490
5
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id fa273330807807d05b564d37c88654cd772839ee
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
6
reference_url https://github.com/advisories/GHSA-wq2m-r96q-crrf
reference_id GHSA-wq2m-r96q-crrf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wq2m-r96q-crrf
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf
reference_id GHSA-wq2m-r96q-crrf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.1
purl pkg:composer/craftcms/commerce@4.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7mwe-pr8b-27b9
1
vulnerability VCID-8wtv-3a2u-efhn
2
vulnerability VCID-97wt-uzgd-j7cy
3
vulnerability VCID-dnc5-bagp-wfgm
4
vulnerability VCID-gym5-pp2y-y3ed
5
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1
1
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6ut7-kdwm-zubh
1
vulnerability VCID-7mwe-pr8b-27b9
2
vulnerability VCID-8wtv-3a2u-efhn
3
vulnerability VCID-97wt-uzgd-j7cy
4
vulnerability VCID-dnc5-bagp-wfgm
5
vulnerability VCID-gym5-pp2y-y3ed
6
vulnerability VCID-ke4n-z9fq-87ea
7
vulnerability VCID-nd31-ykw5-rqbt
8
vulnerability VCID-wk8c-81g9-juh9
9
vulnerability VCID-y7ud-n1vc-ckc5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25490, GHSA-wq2m-r96q-crrf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3tvs-zkkk-q3dn
3
url VCID-6g9k-ndry-qyc4
vulnerability_id VCID-6g9k-ndry-qyc4
summary Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25482
reference_id
reference_type
scores
0
value 0.00029
scoring_system epss
scoring_elements 0.08869
published_at 2026-06-14T12:55:00Z
1
value 0.00029
scoring_system epss
scoring_elements 0.08879
published_at 2026-06-13T12:55:00Z
2
value 0.00029
scoring_system epss
scoring_elements 0.08874
published_at 2026-06-12T12:55:00Z
3
value 0.00029
scoring_system epss
scoring_elements 0.08831
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25482
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id 4.10.1
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
3
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id 5.5.2
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25482
reference_id CVE-2026-25482
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25482
5
reference_url https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65
reference_id d94d1c9832a47a1c383e375ae87c46c13935ba65
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/
url https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65
6
reference_url https://github.com/advisories/GHSA-frj9-9rwc-pw9j
reference_id GHSA-frj9-9rwc-pw9j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-frj9-9rwc-pw9j
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j
reference_id GHSA-frj9-9rwc-pw9j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.1
purl pkg:composer/craftcms/commerce@4.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7mwe-pr8b-27b9
1
vulnerability VCID-8wtv-3a2u-efhn
2
vulnerability VCID-97wt-uzgd-j7cy
3
vulnerability VCID-dnc5-bagp-wfgm
4
vulnerability VCID-gym5-pp2y-y3ed
5
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1
1
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6ut7-kdwm-zubh
1
vulnerability VCID-7mwe-pr8b-27b9
2
vulnerability VCID-8wtv-3a2u-efhn
3
vulnerability VCID-97wt-uzgd-j7cy
4
vulnerability VCID-dnc5-bagp-wfgm
5
vulnerability VCID-gym5-pp2y-y3ed
6
vulnerability VCID-ke4n-z9fq-87ea
7
vulnerability VCID-nd31-ykw5-rqbt
8
vulnerability VCID-wk8c-81g9-juh9
9
vulnerability VCID-y7ud-n1vc-ckc5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25482, GHSA-frj9-9rwc-pw9j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6g9k-ndry-qyc4
4
url VCID-7mwe-pr8b-27b9
vulnerability_id VCID-7mwe-pr8b-27b9
summary Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29172
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.0313
published_at 2026-06-14T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.03117
published_at 2026-06-13T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.03134
published_at 2026-06-12T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.0312
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29172
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
reference_id b231b920b73db023e81e5b261b894d73e865c276
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/
url https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29172
reference_id CVE-2026-29172
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29172
4
reference_url https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
reference_id e4e0f4107cd895d29290523637f077fe280407b1
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/
url https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
5
reference_url https://github.com/advisories/GHSA-j3x5-mghf-xvfw
reference_id GHSA-j3x5-mghf-xvfw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j3x5-mghf-xvfw
6
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
reference_id GHSA-j3x5-mghf-xvfw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.2
purl pkg:composer/craftcms/commerce@4.10.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-97wt-uzgd-j7cy
1
vulnerability VCID-gym5-pp2y-y3ed
2
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.2
1
url pkg:composer/craftcms/commerce@5.5.3
purl pkg:composer/craftcms/commerce@5.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-97wt-uzgd-j7cy
1
vulnerability VCID-gym5-pp2y-y3ed
2
vulnerability VCID-ke4n-z9fq-87ea
3
vulnerability VCID-nd31-ykw5-rqbt
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3
aliases CVE-2026-29172, GHSA-j3x5-mghf-xvfw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7mwe-pr8b-27b9
5
url VCID-8612-urej-cqbg
vulnerability_id VCID-8612-urej-cqbg
summary Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25489
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07492
published_at 2026-06-11T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.0751
published_at 2026-06-14T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07518
published_at 2026-06-13T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07525
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25489
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id 4.10.1
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
3
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id 5.5.2
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25489
reference_id CVE-2026-25489
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25489
5
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id fa273330807807d05b564d37c88654cd772839ee
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
6
reference_url https://github.com/advisories/GHSA-v585-mf6r-rqrc
reference_id GHSA-v585-mf6r-rqrc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v585-mf6r-rqrc
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc
reference_id GHSA-v585-mf6r-rqrc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.1
purl pkg:composer/craftcms/commerce@4.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7mwe-pr8b-27b9
1
vulnerability VCID-8wtv-3a2u-efhn
2
vulnerability VCID-97wt-uzgd-j7cy
3
vulnerability VCID-dnc5-bagp-wfgm
4
vulnerability VCID-gym5-pp2y-y3ed
5
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1
1
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6ut7-kdwm-zubh
1
vulnerability VCID-7mwe-pr8b-27b9
2
vulnerability VCID-8wtv-3a2u-efhn
3
vulnerability VCID-97wt-uzgd-j7cy
4
vulnerability VCID-dnc5-bagp-wfgm
5
vulnerability VCID-gym5-pp2y-y3ed
6
vulnerability VCID-ke4n-z9fq-87ea
7
vulnerability VCID-nd31-ykw5-rqbt
8
vulnerability VCID-wk8c-81g9-juh9
9
vulnerability VCID-y7ud-n1vc-ckc5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25489, GHSA-v585-mf6r-rqrc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8612-urej-cqbg
6
url VCID-8wtv-3a2u-efhn
vulnerability_id VCID-8wtv-3a2u-efhn
summary Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29177
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02431
published_at 2026-06-14T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02429
published_at 2026-06-12T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02422
published_at 2026-06-13T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02427
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29177
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
reference_id b0683e04773f16bba6af9df18aab495fc5dde68a
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/
url https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29177
reference_id CVE-2026-29177
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29177
4
reference_url https://github.com/advisories/GHSA-mj32-r678-7mvp
reference_id GHSA-mj32-r678-7mvp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mj32-r678-7mvp
5
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
reference_id GHSA-mj32-r678-7mvp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.2
purl pkg:composer/craftcms/commerce@4.10.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-97wt-uzgd-j7cy
1
vulnerability VCID-gym5-pp2y-y3ed
2
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.2
1
url pkg:composer/craftcms/commerce@5.5.3
purl pkg:composer/craftcms/commerce@5.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-97wt-uzgd-j7cy
1
vulnerability VCID-gym5-pp2y-y3ed
2
vulnerability VCID-ke4n-z9fq-87ea
3
vulnerability VCID-nd31-ykw5-rqbt
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3
aliases CVE-2026-29177, GHSA-mj32-r678-7mvp
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8wtv-3a2u-efhn
7
url VCID-95zg-q87n-kba2
vulnerability_id VCID-95zg-q87n-kba2
summary Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25483
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04735
published_at 2026-06-14T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.04756
published_at 2026-06-12T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.04742
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25483
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id 4.10.1
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
3
reference_url https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c
reference_id 4665a47c0961aee311a42af2ff94a7c470f0ad8c
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/
url https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c
4
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id 5.5.2
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25483
reference_id CVE-2026-25483
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25483
6
reference_url https://github.com/advisories/GHSA-8478-rmjg-mjj5
reference_id GHSA-8478-rmjg-mjj5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8478-rmjg-mjj5
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5
reference_id GHSA-8478-rmjg-mjj5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.1
purl pkg:composer/craftcms/commerce@4.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7mwe-pr8b-27b9
1
vulnerability VCID-8wtv-3a2u-efhn
2
vulnerability VCID-97wt-uzgd-j7cy
3
vulnerability VCID-dnc5-bagp-wfgm
4
vulnerability VCID-gym5-pp2y-y3ed
5
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1
1
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6ut7-kdwm-zubh
1
vulnerability VCID-7mwe-pr8b-27b9
2
vulnerability VCID-8wtv-3a2u-efhn
3
vulnerability VCID-97wt-uzgd-j7cy
4
vulnerability VCID-dnc5-bagp-wfgm
5
vulnerability VCID-gym5-pp2y-y3ed
6
vulnerability VCID-ke4n-z9fq-87ea
7
vulnerability VCID-nd31-ykw5-rqbt
8
vulnerability VCID-wk8c-81g9-juh9
9
vulnerability VCID-y7ud-n1vc-ckc5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25483, GHSA-8478-rmjg-mjj5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-95zg-q87n-kba2
8
url VCID-97wt-uzgd-j7cy
vulnerability_id VCID-97wt-uzgd-j7cy
summary Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32270
reference_id
reference_type
scores
0
value 0.0009
scoring_system epss
scoring_elements 0.25699
published_at 2026-06-13T12:55:00Z
1
value 0.0009
scoring_system epss
scoring_elements 0.25482
published_at 2026-06-11T12:55:00Z
2
value 0.0009
scoring_system epss
scoring_elements 0.25684
published_at 2026-06-14T12:55:00Z
3
value 0.0009
scoring_system epss
scoring_elements 0.25681
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32270
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32270
reference_id
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32270
3
reference_url https://github.com/craftcms/commerce/releases/tag/4.11.0
reference_id 4.11.0
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/
url https://github.com/craftcms/commerce/releases/tag/4.11.0
4
reference_url https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08
reference_id 48a5d946419964e2af1ac64a8e1acc2a32ca0a08
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/
url https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08
5
reference_url https://github.com/craftcms/commerce/releases/tag/5.6.0
reference_id 5.6.0
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/
url https://github.com/craftcms/commerce/releases/tag/5.6.0
6
reference_url https://github.com/advisories/GHSA-3vxg-x5f8-f5qf
reference_id GHSA-3vxg-x5f8-f5qf
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3vxg-x5f8-f5qf
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf
reference_id GHSA-3vxg-x5f8-f5qf
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf
fixed_packages
0
url pkg:composer/craftcms/commerce@4.11.0
purl pkg:composer/craftcms/commerce@4.11.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.11.0
1
url pkg:composer/craftcms/commerce@5.6.0
purl pkg:composer/craftcms/commerce@5.6.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0
aliases CVE-2026-32270, GHSA-3vxg-x5f8-f5qf
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-97wt-uzgd-j7cy
9
url VCID-dnc5-bagp-wfgm
vulnerability_id VCID-dnc5-bagp-wfgm
summary Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29173
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.05204
published_at 2026-06-11T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.05217
published_at 2026-06-12T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.05209
published_at 2026-06-13T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.05195
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29173
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
reference_id 60cdc505c03b6fa2f59715e8c060114b66334afa
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/
url https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
3
reference_url https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
reference_id a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/
url https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29173
reference_id CVE-2026-29173
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29173
5
reference_url https://github.com/advisories/GHSA-mqxf-2998-c6cp
reference_id GHSA-mqxf-2998-c6cp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mqxf-2998-c6cp
6
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp
reference_id GHSA-mqxf-2998-c6cp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
2
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.2
purl pkg:composer/craftcms/commerce@4.10.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-97wt-uzgd-j7cy
1
vulnerability VCID-gym5-pp2y-y3ed
2
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.2
1
url pkg:composer/craftcms/commerce@5.5.3
purl pkg:composer/craftcms/commerce@5.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-97wt-uzgd-j7cy
1
vulnerability VCID-gym5-pp2y-y3ed
2
vulnerability VCID-ke4n-z9fq-87ea
3
vulnerability VCID-nd31-ykw5-rqbt
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3
aliases CVE-2026-29173, GHSA-mqxf-2998-c6cp
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dnc5-bagp-wfgm
10
url VCID-gym5-pp2y-y3ed
vulnerability_id VCID-gym5-pp2y-y3ed
summary Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32271
reference_id
reference_type
scores
0
value 0.0008
scoring_system epss
scoring_elements 0.23852
published_at 2026-06-13T12:55:00Z
1
value 0.0008
scoring_system epss
scoring_elements 0.23831
published_at 2026-06-14T12:55:00Z
2
value 0.0008
scoring_system epss
scoring_elements 0.23649
published_at 2026-06-11T12:55:00Z
3
value 0.0008
scoring_system epss
scoring_elements 0.23845
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32271
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32271
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32271
3
reference_url https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72
reference_id 6d2d24b3a2b0c06593856d05446f82bd8af92d72
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:21:36Z/
url https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72
4
reference_url https://github.com/advisories/GHSA-875v-7m49-8x88
reference_id GHSA-875v-7m49-8x88
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-875v-7m49-8x88
5
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88
reference_id GHSA-875v-7m49-8x88
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:21:36Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.3
purl pkg:composer/craftcms/commerce@4.10.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.3
1
url pkg:composer/craftcms/commerce@4.11.0
purl pkg:composer/craftcms/commerce@4.11.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.11.0
2
url pkg:composer/craftcms/commerce@5.5.5
purl pkg:composer/craftcms/commerce@5.5.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.5
3
url pkg:composer/craftcms/commerce@5.6.0
purl pkg:composer/craftcms/commerce@5.6.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0
aliases CVE-2026-32271, GHSA-875v-7m49-8x88
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gym5-pp2y-y3ed
11
url VCID-kcyd-frx2-myg9
vulnerability_id VCID-kcyd-frx2-myg9
summary Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25484
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.05616
published_at 2026-06-14T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.05624
published_at 2026-06-13T12:55:00Z
2
value 0.00019
scoring_system epss
scoring_elements 0.05631
published_at 2026-06-12T12:55:00Z
3
value 0.00019
scoring_system epss
scoring_elements 0.05604
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25484
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id 4.10.1
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
3
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id 5.5.2
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
4
reference_url https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c
reference_id 7e1dedf06038c8e70dce0187b7048d4ab8ffb75c
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/
url https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25484
reference_id CVE-2026-25484
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25484
6
reference_url https://github.com/advisories/GHSA-2h2m-v2mg-656c
reference_id GHSA-2h2m-v2mg-656c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2h2m-v2mg-656c
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c
reference_id GHSA-2h2m-v2mg-656c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.1
purl pkg:composer/craftcms/commerce@4.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7mwe-pr8b-27b9
1
vulnerability VCID-8wtv-3a2u-efhn
2
vulnerability VCID-97wt-uzgd-j7cy
3
vulnerability VCID-dnc5-bagp-wfgm
4
vulnerability VCID-gym5-pp2y-y3ed
5
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1
1
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6ut7-kdwm-zubh
1
vulnerability VCID-7mwe-pr8b-27b9
2
vulnerability VCID-8wtv-3a2u-efhn
3
vulnerability VCID-97wt-uzgd-j7cy
4
vulnerability VCID-dnc5-bagp-wfgm
5
vulnerability VCID-gym5-pp2y-y3ed
6
vulnerability VCID-ke4n-z9fq-87ea
7
vulnerability VCID-nd31-ykw5-rqbt
8
vulnerability VCID-wk8c-81g9-juh9
9
vulnerability VCID-y7ud-n1vc-ckc5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25484, GHSA-2h2m-v2mg-656c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kcyd-frx2-myg9
12
url VCID-ke4n-z9fq-87ea
vulnerability_id VCID-ke4n-z9fq-87ea
summary Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-31867
reference_id
reference_type
scores
0
value 0.00072
scoring_system epss
scoring_elements 0.22141
published_at 2026-06-14T12:55:00Z
1
value 0.00072
scoring_system epss
scoring_elements 0.22155
published_at 2026-06-12T12:55:00Z
2
value 0.00072
scoring_system epss
scoring_elements 0.22166
published_at 2026-06-13T12:55:00Z
3
value 0.00072
scoring_system epss
scoring_elements 0.21965
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-31867
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/pull/4207
reference_id 4207
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T13:49:40Z/
url https://github.com/craftcms/commerce/pull/4207
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-31867
reference_id CVE-2026-31867
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-31867
4
reference_url https://github.com/advisories/GHSA-vff3-pqq8-4cpq
reference_id GHSA-vff3-pqq8-4cpq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vff3-pqq8-4cpq
5
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq
reference_id GHSA-vff3-pqq8-4cpq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T13:49:40Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq
fixed_packages
0
url pkg:composer/craftcms/commerce@4.11.0
purl pkg:composer/craftcms/commerce@4.11.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.11.0
1
url pkg:composer/craftcms/commerce@5.0.0-beta.1
purl pkg:composer/craftcms/commerce@5.0.0-beta.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fpe-utun-2bhp
1
vulnerability VCID-3aau-58kb-23c2
2
vulnerability VCID-3tvs-zkkk-q3dn
3
vulnerability VCID-3zc6-6twn-53bv
4
vulnerability VCID-8612-urej-cqbg
5
vulnerability VCID-w92g-517h-rud8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.0.0-beta.1
2
url pkg:composer/craftcms/commerce@5.6.0
purl pkg:composer/craftcms/commerce@5.6.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0
aliases CVE-2026-31867, GHSA-vff3-pqq8-4cpq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ke4n-z9fq-87ea
13
url VCID-w92g-517h-rud8
vulnerability_id VCID-w92g-517h-rud8
summary Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25487
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07525
published_at 2026-06-12T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.0751
published_at 2026-06-14T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07518
published_at 2026-06-13T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07492
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25487
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id 4.10.1
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
3
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id 5.5.2
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25487
reference_id CVE-2026-25487
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25487
5
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id fa273330807807d05b564d37c88654cd772839ee
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
6
reference_url https://github.com/advisories/GHSA-wqc5-485v-3hqh
reference_id GHSA-wqc5-485v-3hqh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wqc5-485v-3hqh
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh
reference_id GHSA-wqc5-485v-3hqh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh
fixed_packages
0
url pkg:composer/craftcms/commerce@4.10.1
purl pkg:composer/craftcms/commerce@4.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7mwe-pr8b-27b9
1
vulnerability VCID-8wtv-3a2u-efhn
2
vulnerability VCID-97wt-uzgd-j7cy
3
vulnerability VCID-dnc5-bagp-wfgm
4
vulnerability VCID-gym5-pp2y-y3ed
5
vulnerability VCID-ke4n-z9fq-87ea
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.10.1
1
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6ut7-kdwm-zubh
1
vulnerability VCID-7mwe-pr8b-27b9
2
vulnerability VCID-8wtv-3a2u-efhn
3
vulnerability VCID-97wt-uzgd-j7cy
4
vulnerability VCID-dnc5-bagp-wfgm
5
vulnerability VCID-gym5-pp2y-y3ed
6
vulnerability VCID-ke4n-z9fq-87ea
7
vulnerability VCID-nd31-ykw5-rqbt
8
vulnerability VCID-wk8c-81g9-juh9
9
vulnerability VCID-y7ud-n1vc-ckc5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25487, GHSA-wqc5-485v-3hqh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w92g-517h-rud8
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@4.8.1.2