VulnerableCode Package Details - pkg:composer/craftcms/commerce@5.5.3

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6ut7-kdwm-zubh	Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.	CVE-2026-29174 GHSA-pmgj-gmm4-jh6j
VCID-7mwe-pr8b-27b9	Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by \| and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.	CVE-2026-29172 GHSA-j3x5-mghf-xvfw
VCID-8wtv-3a2u-efhn	Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.	CVE-2026-29177 GHSA-mj32-r678-7mvp
VCID-dnc5-bagp-wfgm	Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.	CVE-2026-29173 GHSA-mqxf-2998-c6cp
VCID-wk8c-81g9-juh9	Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.	CVE-2026-29175 GHSA-cfpv-rmpf-f624
VCID-y7ud-n1vc-ckc5	Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3.	CVE-2026-29176 GHSA-wj89-2385-gpx3

Vulnerability

Summary

Aliases

VCID-6ut7-kdwm-zubh

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.

CVE-2026-29174
GHSA-pmgj-gmm4-jh6j

VCID-7mwe-pr8b-27b9

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.

CVE-2026-29172
GHSA-j3x5-mghf-xvfw

VCID-8wtv-3a2u-efhn

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.

CVE-2026-29177
GHSA-mj32-r678-7mvp

VCID-dnc5-bagp-wfgm

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.

CVE-2026-29173
GHSA-mqxf-2998-c6cp

VCID-wk8c-81g9-juh9

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.

CVE-2026-29175
GHSA-cfpv-rmpf-f624

VCID-y7ud-n1vc-ckc5

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3.

CVE-2026-29176
GHSA-wj89-2385-gpx3

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-11T20:38:32.813596+00:00	GHSA Importer	Fixing	VCID-8wtv-3a2u-efhn	https://github.com/advisories/GHSA-mj32-r678-7mvp	38.6.0
2026-06-11T20:38:32.795489+00:00	GHSA Importer	Fixing	VCID-y7ud-n1vc-ckc5	https://github.com/advisories/GHSA-wj89-2385-gpx3	38.6.0
2026-06-11T20:38:32.777554+00:00	GHSA Importer	Fixing	VCID-wk8c-81g9-juh9	https://github.com/advisories/GHSA-cfpv-rmpf-f624	38.6.0
2026-06-11T20:38:32.758360+00:00	GHSA Importer	Fixing	VCID-6ut7-kdwm-zubh	https://github.com/advisories/GHSA-pmgj-gmm4-jh6j	38.6.0
2026-06-11T20:38:32.738990+00:00	GHSA Importer	Fixing	VCID-dnc5-bagp-wfgm	https://github.com/advisories/GHSA-mqxf-2998-c6cp	38.6.0
2026-06-11T20:38:32.704092+00:00	GHSA Importer	Fixing	VCID-7mwe-pr8b-27b9	https://github.com/advisories/GHSA-j3x5-mghf-xvfw	38.6.0