Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/936728?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/936728?format=api", "purl": "pkg:composer/craftcms/commerce@5.3.12", "type": "composer", "namespace": "craftcms", "name": "commerce", "version": "5.3.12", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.6.0", "latest_non_vulnerable_version": "5.6.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66052?format=api", "vulnerability_id": "VCID-1fpe-utun-2bhp", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25488", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07525", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.0751", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07518", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07492", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25488" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "reference_id": "4.10.1", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "reference_id": "5.5.2", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25488", "reference_id": "CVE-2026-25488", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25488" }, { "reference_url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "reference_id": "fa273330807807d05b564d37c88654cd772839ee", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/" } ], "url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee" }, { "reference_url": "https://github.com/advisories/GHSA-p6w8-q63m-72c8", "reference_id": "GHSA-p6w8-q63m-72c8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p6w8-q63m-72c8" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8", "reference_id": "GHSA-p6w8-q63m-72c8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38526?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ut7-kdwm-zubh" }, { "vulnerability": "VCID-7mwe-pr8b-27b9" }, { "vulnerability": "VCID-8wtv-3a2u-efhn" }, { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-dnc5-bagp-wfgm" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" }, { "vulnerability": "VCID-wk8c-81g9-juh9" }, { "vulnerability": "VCID-y7ud-n1vc-ckc5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2" } ], "aliases": [ "CVE-2026-25488", "GHSA-p6w8-q63m-72c8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1fpe-utun-2bhp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65948?format=api", "vulnerability_id": "VCID-3aau-58kb-23c2", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25522", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10383", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10363", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10387", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10332", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25522" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "reference_id": "4.10.1", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "reference_id": "5.5.2", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25522", "reference_id": "CVE-2026-25522", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25522" }, { "reference_url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "reference_id": "fa273330807807d05b564d37c88654cd772839ee", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/" } ], "url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee" }, { "reference_url": "https://github.com/advisories/GHSA-h9r9-2pxg-cx9m", "reference_id": "GHSA-h9r9-2pxg-cx9m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h9r9-2pxg-cx9m" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m", "reference_id": "GHSA-h9r9-2pxg-cx9m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38526?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ut7-kdwm-zubh" }, { "vulnerability": "VCID-7mwe-pr8b-27b9" }, { "vulnerability": "VCID-8wtv-3a2u-efhn" }, { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-dnc5-bagp-wfgm" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" }, { "vulnerability": "VCID-wk8c-81g9-juh9" }, { "vulnerability": "VCID-y7ud-n1vc-ckc5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2" } ], "aliases": [ "CVE-2026-25522", "GHSA-h9r9-2pxg-cx9m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3aau-58kb-23c2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65916?format=api", "vulnerability_id": "VCID-3tvs-zkkk-q3dn", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25490", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07525", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.0751", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07518", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07492", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25490" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "reference_id": "4.10.1", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "reference_id": "5.5.2", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25490", "reference_id": "CVE-2026-25490", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25490" }, { "reference_url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "reference_id": "fa273330807807d05b564d37c88654cd772839ee", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/" } ], "url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee" }, { "reference_url": "https://github.com/advisories/GHSA-wq2m-r96q-crrf", "reference_id": "GHSA-wq2m-r96q-crrf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wq2m-r96q-crrf" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf", "reference_id": "GHSA-wq2m-r96q-crrf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38526?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ut7-kdwm-zubh" }, { "vulnerability": "VCID-7mwe-pr8b-27b9" }, { "vulnerability": "VCID-8wtv-3a2u-efhn" }, { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-dnc5-bagp-wfgm" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" }, { "vulnerability": "VCID-wk8c-81g9-juh9" }, { "vulnerability": "VCID-y7ud-n1vc-ckc5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2" } ], "aliases": [ "CVE-2026-25490", "GHSA-wq2m-r96q-crrf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3tvs-zkkk-q3dn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66068?format=api", "vulnerability_id": "VCID-3zc6-6twn-53bv", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25486", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07012", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06997", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07005", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06983", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25486" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "reference_id": "5.5.2", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25486", "reference_id": "CVE-2026-25486", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25486" }, { "reference_url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "reference_id": "fa273330807807d05b564d37c88654cd772839ee", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/" } ], "url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee" }, { "reference_url": "https://github.com/advisories/GHSA-g92v-wpv7-6w22", "reference_id": "GHSA-g92v-wpv7-6w22", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g92v-wpv7-6w22" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22", "reference_id": "GHSA-g92v-wpv7-6w22", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38526?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ut7-kdwm-zubh" }, { "vulnerability": "VCID-7mwe-pr8b-27b9" }, { "vulnerability": "VCID-8wtv-3a2u-efhn" }, { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-dnc5-bagp-wfgm" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" }, { "vulnerability": "VCID-wk8c-81g9-juh9" }, { "vulnerability": "VCID-y7ud-n1vc-ckc5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2" } ], "aliases": [ "CVE-2026-25486", "GHSA-g92v-wpv7-6w22" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3zc6-6twn-53bv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66198?format=api", "vulnerability_id": "VCID-6g9k-ndry-qyc4", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the \"Recent Orders\" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25482", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08869", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08879", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08874", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08831", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25482" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "reference_id": "4.10.1", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "reference_id": "5.5.2", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25482", "reference_id": "CVE-2026-25482", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25482" }, { "reference_url": "https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65", "reference_id": "d94d1c9832a47a1c383e375ae87c46c13935ba65", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/" } ], "url": "https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65" }, { "reference_url": "https://github.com/advisories/GHSA-frj9-9rwc-pw9j", "reference_id": "GHSA-frj9-9rwc-pw9j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-frj9-9rwc-pw9j" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j", "reference_id": "GHSA-frj9-9rwc-pw9j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38526?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ut7-kdwm-zubh" }, { "vulnerability": "VCID-7mwe-pr8b-27b9" }, { "vulnerability": "VCID-8wtv-3a2u-efhn" }, { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-dnc5-bagp-wfgm" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" }, { "vulnerability": "VCID-wk8c-81g9-juh9" }, { "vulnerability": "VCID-y7ud-n1vc-ckc5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2" } ], "aliases": [ "CVE-2026-25482", "GHSA-frj9-9rwc-pw9j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6g9k-ndry-qyc4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74087?format=api", "vulnerability_id": "VCID-6ut7-kdwm-zubh", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29174", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0313", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03117", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03134", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0312", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29174" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7", "reference_id": "094d69df24b925544f337c38e2ec1effcd5395c7", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:09:58Z/" } ], "url": "https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7" }, { "reference_url": "https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b", "reference_id": "a2ea853935ef03297ea1298bdb0d8c55ec5daf7b", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:09:58Z/" } ], "url": "https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29174", "reference_id": "CVE-2026-29174", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29174" }, { "reference_url": "https://github.com/advisories/GHSA-pmgj-gmm4-jh6j", "reference_id": "GHSA-pmgj-gmm4-jh6j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pmgj-gmm4-jh6j" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j", "reference_id": "GHSA-pmgj-gmm4-jh6j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:09:58Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40459?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3" } ], "aliases": [ "CVE-2026-29174", "GHSA-pmgj-gmm4-jh6j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6ut7-kdwm-zubh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74121?format=api", "vulnerability_id": "VCID-7mwe-pr8b-27b9", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29172", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0313", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03117", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03134", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0312", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29172" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276", "reference_id": "b231b920b73db023e81e5b261b894d73e865c276", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/" } ], "url": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29172", "reference_id": "CVE-2026-29172", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29172" }, { "reference_url": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1", "reference_id": "e4e0f4107cd895d29290523637f077fe280407b1", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/" } ], "url": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1" }, { "reference_url": "https://github.com/advisories/GHSA-j3x5-mghf-xvfw", "reference_id": "GHSA-j3x5-mghf-xvfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j3x5-mghf-xvfw" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "reference_id": "GHSA-j3x5-mghf-xvfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40459?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3" } ], "aliases": [ "CVE-2026-29172", "GHSA-j3x5-mghf-xvfw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7mwe-pr8b-27b9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65720?format=api", "vulnerability_id": "VCID-8612-urej-cqbg", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25489", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07492", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.0751", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07518", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07525", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25489" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "reference_id": "4.10.1", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "reference_id": "5.5.2", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25489", "reference_id": "CVE-2026-25489", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25489" }, { "reference_url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "reference_id": "fa273330807807d05b564d37c88654cd772839ee", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/" } ], "url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee" }, { "reference_url": "https://github.com/advisories/GHSA-v585-mf6r-rqrc", "reference_id": "GHSA-v585-mf6r-rqrc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v585-mf6r-rqrc" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc", "reference_id": "GHSA-v585-mf6r-rqrc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38526?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ut7-kdwm-zubh" }, { "vulnerability": "VCID-7mwe-pr8b-27b9" }, { "vulnerability": "VCID-8wtv-3a2u-efhn" }, { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-dnc5-bagp-wfgm" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" }, { "vulnerability": "VCID-wk8c-81g9-juh9" }, { "vulnerability": "VCID-y7ud-n1vc-ckc5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2" } ], "aliases": [ "CVE-2026-25489", "GHSA-v585-mf6r-rqrc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8612-urej-cqbg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74033?format=api", "vulnerability_id": "VCID-8wtv-3a2u-efhn", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29177", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02431", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02429", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02422", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02427", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29177" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a", "reference_id": "b0683e04773f16bba6af9df18aab495fc5dde68a", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/" } ], "url": "https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29177", "reference_id": "CVE-2026-29177", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29177" }, { "reference_url": "https://github.com/advisories/GHSA-mj32-r678-7mvp", "reference_id": "GHSA-mj32-r678-7mvp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mj32-r678-7mvp" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp", "reference_id": "GHSA-mj32-r678-7mvp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40459?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3" } ], "aliases": [ "CVE-2026-29177", "GHSA-mj32-r678-7mvp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8wtv-3a2u-efhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66248?format=api", "vulnerability_id": "VCID-95zg-q87n-kba2", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25483", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04735", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04756", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04742", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25483" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "reference_id": "4.10.1", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1" }, { "reference_url": "https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c", "reference_id": "4665a47c0961aee311a42af2ff94a7c470f0ad8c", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/" } ], "url": "https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "reference_id": "5.5.2", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25483", "reference_id": "CVE-2026-25483", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25483" }, { "reference_url": "https://github.com/advisories/GHSA-8478-rmjg-mjj5", "reference_id": "GHSA-8478-rmjg-mjj5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8478-rmjg-mjj5" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5", "reference_id": "GHSA-8478-rmjg-mjj5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38526?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ut7-kdwm-zubh" }, { "vulnerability": "VCID-7mwe-pr8b-27b9" }, { "vulnerability": "VCID-8wtv-3a2u-efhn" }, { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-dnc5-bagp-wfgm" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" }, { "vulnerability": "VCID-wk8c-81g9-juh9" }, { "vulnerability": "VCID-y7ud-n1vc-ckc5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2" } ], "aliases": [ "CVE-2026-25483", "GHSA-8478-rmjg-mjj5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-95zg-q87n-kba2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76986?format=api", "vulnerability_id": "VCID-97wt-uzgd-j7cy", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32270", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25699", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25482", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25684", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25681", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32270" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32270", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32270" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/4.11.0", "reference_id": "4.11.0", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/4.11.0" }, { "reference_url": "https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08", "reference_id": "48a5d946419964e2af1ac64a8e1acc2a32ca0a08", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/" } ], "url": "https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.6.0", "reference_id": "5.6.0", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.6.0" }, { "reference_url": "https://github.com/advisories/GHSA-3vxg-x5f8-f5qf", "reference_id": "GHSA-3vxg-x5f8-f5qf", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3vxg-x5f8-f5qf" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf", "reference_id": "GHSA-3vxg-x5f8-f5qf", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40469?format=api", "purl": "pkg:composer/craftcms/commerce@5.6.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0" } ], "aliases": [ "CVE-2026-32270", "GHSA-3vxg-x5f8-f5qf" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-97wt-uzgd-j7cy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74122?format=api", "vulnerability_id": "VCID-dnc5-bagp-wfgm", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29173", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05204", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05217", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05209", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05195", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29173" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa", "reference_id": "60cdc505c03b6fa2f59715e8c060114b66334afa", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/" } ], "url": "https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa" }, { "reference_url": "https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b", "reference_id": "a2ea853935ef03297ea1298bdb0d8c55ec5daf7b", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/" } ], "url": "https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29173", "reference_id": "CVE-2026-29173", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29173" }, { "reference_url": "https://github.com/advisories/GHSA-mqxf-2998-c6cp", "reference_id": "GHSA-mqxf-2998-c6cp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mqxf-2998-c6cp" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp", "reference_id": "GHSA-mqxf-2998-c6cp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40459?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3" } ], "aliases": [ "CVE-2026-29173", "GHSA-mqxf-2998-c6cp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dnc5-bagp-wfgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77310?format=api", "vulnerability_id": "VCID-gym5-pp2y-y3ed", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32271", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23852", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23831", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23649", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23845", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32271" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32271", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32271" }, { "reference_url": "https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72", "reference_id": "6d2d24b3a2b0c06593856d05446f82bd8af92d72", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:21:36Z/" } ], "url": "https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72" }, { "reference_url": "https://github.com/advisories/GHSA-875v-7m49-8x88", "reference_id": "GHSA-875v-7m49-8x88", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-875v-7m49-8x88" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88", "reference_id": "GHSA-875v-7m49-8x88", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:21:36Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373939?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/40469?format=api", "purl": "pkg:composer/craftcms/commerce@5.6.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0" } ], "aliases": [ "CVE-2026-32271", "GHSA-875v-7m49-8x88" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gym5-pp2y-y3ed" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65779?format=api", "vulnerability_id": "VCID-kcyd-frx2-myg9", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25484", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05616", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05624", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05631", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05604", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25484" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "reference_id": "4.10.1", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "reference_id": "5.5.2", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2" }, { "reference_url": "https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c", "reference_id": "7e1dedf06038c8e70dce0187b7048d4ab8ffb75c", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/" } ], "url": "https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25484", "reference_id": "CVE-2026-25484", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25484" }, { "reference_url": "https://github.com/advisories/GHSA-2h2m-v2mg-656c", "reference_id": "GHSA-2h2m-v2mg-656c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2h2m-v2mg-656c" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c", "reference_id": "GHSA-2h2m-v2mg-656c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38526?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ut7-kdwm-zubh" }, { "vulnerability": "VCID-7mwe-pr8b-27b9" }, { "vulnerability": "VCID-8wtv-3a2u-efhn" }, { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-dnc5-bagp-wfgm" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" }, { "vulnerability": "VCID-wk8c-81g9-juh9" }, { "vulnerability": "VCID-y7ud-n1vc-ckc5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2" } ], "aliases": [ "CVE-2026-25484", "GHSA-2h2m-v2mg-656c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kcyd-frx2-myg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71368?format=api", "vulnerability_id": "VCID-ke4n-z9fq-87ea", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31867", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22141", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22155", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22166", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.21965", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31867" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/pull/4207", "reference_id": "4207", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T13:49:40Z/" } ], "url": "https://github.com/craftcms/commerce/pull/4207" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31867", "reference_id": "CVE-2026-31867", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31867" }, { "reference_url": "https://github.com/advisories/GHSA-vff3-pqq8-4cpq", "reference_id": "GHSA-vff3-pqq8-4cpq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vff3-pqq8-4cpq" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq", "reference_id": "GHSA-vff3-pqq8-4cpq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T13:49:40Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40469?format=api", "purl": "pkg:composer/craftcms/commerce@5.6.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0" } ], "aliases": [ "CVE-2026-31867", "GHSA-vff3-pqq8-4cpq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ke4n-z9fq-87ea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76954?format=api", "vulnerability_id": "VCID-nd31-ykw5-rqbt", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32272", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11967", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12043", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12062", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12064", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32272" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32272", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32272" }, { "reference_url": "https://github.com/craftcms/commerce/pull/4232", "reference_id": "4232", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/" } ], "url": "https://github.com/craftcms/commerce/pull/4232" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.6.0", "reference_id": "5.6.0", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.6.0" }, { "reference_url": "https://github.com/advisories/GHSA-2453-mppf-46cj", "reference_id": "GHSA-2453-mppf-46cj", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/" } ], "url": "https://github.com/advisories/GHSA-2453-mppf-46cj" }, { "reference_url": "https://github.com/advisories/GHSA-r54v-qq87-px5r", "reference_id": "GHSA-r54v-qq87-px5r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r54v-qq87-px5r" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r", "reference_id": "GHSA-r54v-qq87-px5r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40469?format=api", "purl": "pkg:composer/craftcms/commerce@5.6.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0" } ], "aliases": [ "CVE-2026-32272", "GHSA-r54v-qq87-px5r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nd31-ykw5-rqbt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66089?format=api", "vulnerability_id": "VCID-w92g-517h-rud8", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25487", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07525", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.0751", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07518", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07492", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25487" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "reference_id": "4.10.1", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1" }, { "reference_url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "reference_id": "5.5.2", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/" } ], "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25487", "reference_id": "CVE-2026-25487", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25487" }, { "reference_url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "reference_id": "fa273330807807d05b564d37c88654cd772839ee", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/" } ], "url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee" }, { "reference_url": "https://github.com/advisories/GHSA-wqc5-485v-3hqh", "reference_id": "GHSA-wqc5-485v-3hqh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wqc5-485v-3hqh" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh", "reference_id": "GHSA-wqc5-485v-3hqh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38526?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ut7-kdwm-zubh" }, { "vulnerability": "VCID-7mwe-pr8b-27b9" }, { "vulnerability": "VCID-8wtv-3a2u-efhn" }, { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-dnc5-bagp-wfgm" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" }, { "vulnerability": "VCID-wk8c-81g9-juh9" }, { "vulnerability": "VCID-y7ud-n1vc-ckc5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2" } ], "aliases": [ "CVE-2026-25487", "GHSA-wqc5-485v-3hqh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w92g-517h-rud8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74029?format=api", "vulnerability_id": "VCID-wk8c-81g9-juh9", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29175", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02806", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02811", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02796", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02803", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29175" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a", "reference_id": "9f0638a4fb29ed8295a463385a7cc49ec986e33a", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:11:05Z/" } ], "url": "https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29175", "reference_id": "CVE-2026-29175", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29175" }, { "reference_url": "https://github.com/advisories/GHSA-cfpv-rmpf-f624", "reference_id": "GHSA-cfpv-rmpf-f624", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cfpv-rmpf-f624" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624", "reference_id": "GHSA-cfpv-rmpf-f624", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:11:05Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40459?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3" } ], "aliases": [ "CVE-2026-29175", "GHSA-cfpv-rmpf-f624" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wk8c-81g9-juh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73976?format=api", "vulnerability_id": "VCID-y7ud-n1vc-ckc5", "summary": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29176", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01199", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01206", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01209", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01202", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29176" }, { "reference_url": "https://github.com/craftcms/commerce", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/commerce" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29176", "reference_id": "CVE-2026-29176", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29176" }, { "reference_url": "https://github.com/craftcms/commerce/commit/da143df084563ddf0929d7c261bcc11d312e8004", "reference_id": "da143df084563ddf0929d7c261bcc11d312e8004", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:48Z/" } ], "url": "https://github.com/craftcms/commerce/commit/da143df084563ddf0929d7c261bcc11d312e8004" }, { "reference_url": "https://github.com/advisories/GHSA-wj89-2385-gpx3", "reference_id": "GHSA-wj89-2385-gpx3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wj89-2385-gpx3" }, { "reference_url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3", "reference_id": "GHSA-wj89-2385-gpx3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:48Z/" } ], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40459?format=api", "purl": "pkg:composer/craftcms/commerce@5.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-97wt-uzgd-j7cy" }, { "vulnerability": "VCID-gym5-pp2y-y3ed" }, { "vulnerability": "VCID-ke4n-z9fq-87ea" }, { "vulnerability": "VCID-nd31-ykw5-rqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3" } ], "aliases": [ "CVE-2026-29176", "GHSA-wj89-2385-gpx3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y7ud-n1vc-ckc5" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.3.12" }