Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/craftcms/commerce@5.1.0-beta.3
Typecomposer
Namespacecraftcms
Namecommerce
Version5.1.0-beta.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.6.0
Latest_non_vulnerable_version5.6.0
Affected_by_vulnerabilities
0
url VCID-1aw3-g7fu-cqhq
vulnerability_id VCID-1aw3-g7fu-cqhq
summary 
Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the **Shipping Method Name**, **Order Reference**, or **Site Name**. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29177
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02459
published_at 2026-06-07T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02403
published_at 2026-06-09T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02443
published_at 2026-06-08T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02517
published_at 2026-06-06T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02515
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29177
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
reference_id
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/
url https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29177
reference_id CVE-2026-29177
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29177
4
reference_url https://github.com/advisories/GHSA-mj32-r678-7mvp
reference_id GHSA-mj32-r678-7mvp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mj32-r678-7mvp
5
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
reference_id GHSA-mj32-r678-7mvp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.3
purl pkg:composer/craftcms/commerce@5.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d2vn-69x5-77e3
1
vulnerability VCID-df4p-6796-9beh
2
vulnerability VCID-mq6x-g8rw-ebck
3
vulnerability VCID-ungn-7sen-17cg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3
aliases CVE-2026-29177, GHSA-mj32-r678-7mvp
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1aw3-g7fu-cqhq
1
url VCID-1xrw-7mm9-6bgv
vulnerability_id VCID-1xrw-7mm9-6bgv
summary 
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
Stored XSS vulnerabilities exist in the Commerce Inventory page. The **Product Title**, **Variant Title**, and **Variant SKU** fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page.

This vulnerability enables **session hijacking** by fetching the PHP Info utility page, which displays unmasked session cookies. Unlike other XSS chains that require elevated sessions, this attack provides instant access to the victim’s session - no additional user interaction or elevated session approval required.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29175
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02823
published_at 2026-06-07T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02775
published_at 2026-06-09T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02807
published_at 2026-06-08T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02876
published_at 2026-06-06T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02869
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29175
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:11:05Z/
url https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29175
reference_id CVE-2026-29175
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29175
4
reference_url https://github.com/advisories/GHSA-cfpv-rmpf-f624
reference_id GHSA-cfpv-rmpf-f624
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cfpv-rmpf-f624
5
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624
reference_id GHSA-cfpv-rmpf-f624
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:11:05Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.3
purl pkg:composer/craftcms/commerce@5.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d2vn-69x5-77e3
1
vulnerability VCID-df4p-6796-9beh
2
vulnerability VCID-mq6x-g8rw-ebck
3
vulnerability VCID-ungn-7sen-17cg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3
aliases CVE-2026-29175, GHSA-cfpv-rmpf-f624
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1xrw-7mm9-6bgv
2
url VCID-33k1-1cba-7uah
vulnerability_id VCID-33k1-1cba-7uah
summary 
Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration
A stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the `|md` filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes.

Users are recommended to update to the patched 5.5.2 release to mitigate the issue.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25483
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04734
published_at 2026-06-07T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.04719
published_at 2026-06-09T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.04696
published_at 2026-06-08T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.04746
published_at 2026-06-06T12:55:00Z
4
value 0.00018
scoring_system epss
scoring_elements 0.04762
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25483
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/
url https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c
3
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
4
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25483
reference_id CVE-2026-25483
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25483
6
reference_url https://github.com/advisories/GHSA-8478-rmjg-mjj5
reference_id GHSA-8478-rmjg-mjj5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8478-rmjg-mjj5
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5
reference_id GHSA-8478-rmjg-mjj5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1aw3-g7fu-cqhq
1
vulnerability VCID-1xrw-7mm9-6bgv
2
vulnerability VCID-6cnk-bxvk-bqd5
3
vulnerability VCID-ce4y-92tx-93h3
4
vulnerability VCID-d2vn-69x5-77e3
5
vulnerability VCID-df4p-6796-9beh
6
vulnerability VCID-hacw-wce3-suf5
7
vulnerability VCID-mq6x-g8rw-ebck
8
vulnerability VCID-ungn-7sen-17cg
9
vulnerability VCID-vrav-rf43-pqba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25483, GHSA-8478-rmjg-mjj5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-33k1-1cba-7uah
3
url VCID-6cnk-bxvk-bqd5
vulnerability_id VCID-6cnk-bxvk-bqd5
summary 
Craft Commerce has stored XSS in Inventory Location Name
A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The **Name** field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript.

This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29176
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.012
published_at 2026-06-08T12:55:00Z
1
value 0.0001
scoring_system epss
scoring_elements 0.01204
published_at 2026-06-07T12:55:00Z
2
value 0.0001
scoring_system epss
scoring_elements 0.01202
published_at 2026-06-06T12:55:00Z
3
value 0.0001
scoring_system epss
scoring_elements 0.01203
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29176
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/da143df084563ddf0929d7c261bcc11d312e8004
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:48Z/
url https://github.com/craftcms/commerce/commit/da143df084563ddf0929d7c261bcc11d312e8004
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29176
reference_id CVE-2026-29176
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29176
4
reference_url https://github.com/advisories/GHSA-wj89-2385-gpx3
reference_id GHSA-wj89-2385-gpx3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wj89-2385-gpx3
5
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3
reference_id GHSA-wj89-2385-gpx3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:48Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.3
purl pkg:composer/craftcms/commerce@5.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d2vn-69x5-77e3
1
vulnerability VCID-df4p-6796-9beh
2
vulnerability VCID-mq6x-g8rw-ebck
3
vulnerability VCID-ungn-7sen-17cg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3
aliases CVE-2026-29176, GHSA-wj89-2385-gpx3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6cnk-bxvk-bqd5
4
url VCID-ce4y-92tx-93h3
vulnerability_id VCID-ce4y-92tx-93h3
summary 
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29173
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.05108
published_at 2026-06-08T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.05146
published_at 2026-06-07T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.05151
published_at 2026-06-09T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.05165
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29173
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
reference_id
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/
url https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
3
reference_url https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
reference_id
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/
url https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29173
reference_id CVE-2026-29173
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29173
5
reference_url https://github.com/advisories/GHSA-mqxf-2998-c6cp
reference_id GHSA-mqxf-2998-c6cp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mqxf-2998-c6cp
6
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp
reference_id GHSA-mqxf-2998-c6cp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
2
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.3
purl pkg:composer/craftcms/commerce@5.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d2vn-69x5-77e3
1
vulnerability VCID-df4p-6796-9beh
2
vulnerability VCID-mq6x-g8rw-ebck
3
vulnerability VCID-ungn-7sen-17cg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3
aliases CVE-2026-29173, GHSA-mqxf-2998-c6cp
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ce4y-92tx-93h3
5
url VCID-d2vn-69x5-77e3
vulnerability_id VCID-d2vn-69x5-77e3
summary 
Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
## Summary

A SQL injection in the Commerce TotalRevenue widget can lead to remote code execution through a chain of four vulnerabilities:

* SQL Injection -- The TotalRevenue stat interpolates unsanitized widget settings directly into a sprintf-based SQL Expression.  Any control panel user can create any widget type without permission checks.

* PDO Multi-Statement Queries -- PHP `PDO MySQL` enables `CLIENT_MULTI_STATEMENTS` by default. Neither Yii2 nor Craft CMS disables it. This allows stacking an INSERT statement after the injected SELECT , writing a maliciously serialized PHP object into the queue table.

* Unrestricted `unserialize()` -- The yii2-queue PhpSerializer calls `unserialize()` with no allowed_classes restriction on every queue job. When the queue consumer processes the injected job, it instantiates the attacker-controlled object.

* Gadget Chain (FileCookieJar) -- `GuzzleHttp\Cookie\FileCookieJar` (a standard Guzzle dependency) has an unguarded `__destruct()` method that calls `file_put_contents()`. The attacker’s serialized payload writes a PHP webshell to the server’s webroot. PHP tags survive `json_encode()` because Guzzle uses `options=0` (no `JSON_HEX_TAG`).

The complete chain requires 3 HTTP requests and achieves arbitrary command execution as the PHP process user. Queue processing is triggered via GET `/actions/queue/run`, an endpoint that requires no authentication (`$allowAnonymous = ['run']`).

## RCE Exploitation Steps

* Authenticate as any control panel user
* POST to `/admin/actions/dashboard/create-widget` with stacked SQL injection:
* `settings[type]` contains the stacked INSERT with the serialized gadget chain
* Response: HTTP 500 (expected -- INSERT already committed)
* Trigger queue processing: `GET /actions/queue/run`
* Queue consumer deserializes the gadget chain
* `FileCookieJar::__destruct()` writes webshell to webroot
* Access the webshell: `GET /poc_rce.php?c=id`
* Response: `uid=1000(home) gid=1000(home) groups=1000(home)`
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32271
reference_id
reference_type
scores
0
value 0.0008
scoring_system epss
scoring_elements 0.23736
published_at 2026-06-05T12:55:00Z
1
value 0.0008
scoring_system epss
scoring_elements 0.23627
published_at 2026-06-09T12:55:00Z
2
value 0.0008
scoring_system epss
scoring_elements 0.23621
published_at 2026-06-08T12:55:00Z
3
value 0.0008
scoring_system epss
scoring_elements 0.23675
published_at 2026-06-07T12:55:00Z
4
value 0.0008
scoring_system epss
scoring_elements 0.23721
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32271
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:21:36Z/
url https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72
3
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:21:36Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32271
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32271
5
reference_url https://github.com/advisories/GHSA-875v-7m49-8x88
reference_id GHSA-875v-7m49-8x88
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-875v-7m49-8x88
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.5
purl pkg:composer/craftcms/commerce@5.5.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.5
1
url pkg:composer/craftcms/commerce@5.6.0
purl pkg:composer/craftcms/commerce@5.6.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0
aliases CVE-2026-32271, GHSA-875v-7m49-8x88
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d2vn-69x5-77e3
6
url VCID-df4p-6796-9beh
vulnerability_id VCID-df4p-6796-9beh
summary 
Craft Commerce hasVariant/hasProduct Blind SQL Injection
## Overview

Craft Commerce’s `ProductQuery::hasVariant` and `VariantQuery::hasProduct` properties bypass the `unset()` blocklist added to `ElementIndexesController` in GHSA-2453-mppf-46cj.

The blocklist only strips top-level Yii2 Query properties (`where`, `orderBy`, etc.), but `hasVariant` and `hasProduct` pass
through untouched. Internally, these properties call `Craft::configure()` on a subquery without sanitization, re-introducing SQL injection via `criteria[hasVariant][where]=INJECTED_SQL`.

An authenticated control panel user can perform boolean-based blind SQL injection through the patched `ElementIndexesController` and extract arbitrary database contents.

## Impact

* Full database read access via blind SQL injection
* Privilege escalation via security key extraction → forged admin sessions

## Prerequisites
* Authenticated control panel user
* Commerce plugin installed
* Products with variants in the database
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32272
reference_id
reference_type
scores
0
value 0.00039
scoring_system epss
scoring_elements 0.11895
published_at 2026-06-09T12:55:00Z
1
value 0.00039
scoring_system epss
scoring_elements 0.11884
published_at 2026-06-08T12:55:00Z
2
value 0.00039
scoring_system epss
scoring_elements 0.11958
published_at 2026-06-07T12:55:00Z
3
value 0.00039
scoring_system epss
scoring_elements 0.11996
published_at 2026-06-06T12:55:00Z
4
value 0.00039
scoring_system epss
scoring_elements 0.12001
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32272
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/pull/4232
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/
url https://github.com/craftcms/commerce/pull/4232
3
reference_url https://github.com/craftcms/commerce/releases/tag/5.6.0
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/
url https://github.com/craftcms/commerce/releases/tag/5.6.0
4
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32272
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32272
6
reference_url https://github.com/advisories/GHSA-2453-mppf-46cj
reference_id GHSA-2453-mppf-46cj
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/
url https://github.com/advisories/GHSA-2453-mppf-46cj
7
reference_url https://github.com/advisories/GHSA-r54v-qq87-px5r
reference_id GHSA-r54v-qq87-px5r
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r54v-qq87-px5r
fixed_packages
0
url pkg:composer/craftcms/commerce@5.6.0
purl pkg:composer/craftcms/commerce@5.6.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0
aliases CVE-2026-32272, GHSA-r54v-qq87-px5r
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-df4p-6796-9beh
7
url VCID-fjsf-jw9z-puac
vulnerability_id VCID-fjsf-jw9z-puac
summary 
Craft Commerce has Stored XSS in Product Type Name
Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings.

The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. Reporting to Commerce GHSA since the input originates here.

Users are recommended to update to the patched 5.5.2 release to mitigate the issue.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25484
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.05548
published_at 2026-06-09T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.05504
published_at 2026-06-08T12:55:00Z
2
value 0.00019
scoring_system epss
scoring_elements 0.05545
published_at 2026-06-07T12:55:00Z
3
value 0.00019
scoring_system epss
scoring_elements 0.05562
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25484
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/
url https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c
3
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
4
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25484
reference_id CVE-2026-25484
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25484
6
reference_url https://github.com/advisories/GHSA-2h2m-v2mg-656c
reference_id GHSA-2h2m-v2mg-656c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2h2m-v2mg-656c
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c
reference_id GHSA-2h2m-v2mg-656c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1aw3-g7fu-cqhq
1
vulnerability VCID-1xrw-7mm9-6bgv
2
vulnerability VCID-6cnk-bxvk-bqd5
3
vulnerability VCID-ce4y-92tx-93h3
4
vulnerability VCID-d2vn-69x5-77e3
5
vulnerability VCID-df4p-6796-9beh
6
vulnerability VCID-hacw-wce3-suf5
7
vulnerability VCID-mq6x-g8rw-ebck
8
vulnerability VCID-ungn-7sen-17cg
9
vulnerability VCID-vrav-rf43-pqba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25484, GHSA-2h2m-v2mg-656c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fjsf-jw9z-puac
8
url VCID-hacw-wce3-suf5
vulnerability_id VCID-hacw-wce3-suf5
summary 
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
Craft Commerce is vulnerable to **SQL Injection** in the purchasables table endpoint. The `sort` parameter is split by `|` and the first part (column name) is passed directly as an array key to `orderBy()` without `whitelist` validation. Yii2's query builder does **NOT** escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the `ORDER BY` clause.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29172
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.031
published_at 2026-06-09T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.03126
published_at 2026-06-08T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.03144
published_at 2026-06-07T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.03192
published_at 2026-06-06T12:55:00Z
4
value 0.00015
scoring_system epss
scoring_elements 0.03183
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29172
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/
url https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
3
reference_url https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/
url https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29172
reference_id CVE-2026-29172
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29172
5
reference_url https://github.com/advisories/GHSA-j3x5-mghf-xvfw
reference_id GHSA-j3x5-mghf-xvfw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j3x5-mghf-xvfw
6
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
reference_id GHSA-j3x5-mghf-xvfw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.3
purl pkg:composer/craftcms/commerce@5.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d2vn-69x5-77e3
1
vulnerability VCID-df4p-6796-9beh
2
vulnerability VCID-mq6x-g8rw-ebck
3
vulnerability VCID-ungn-7sen-17cg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3
aliases CVE-2026-29172, GHSA-j3x5-mghf-xvfw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hacw-wce3-suf5
9
url VCID-mq6x-g8rw-ebck
vulnerability_id VCID-mq6x-g8rw-ebck
summary 
Craft Commerce: Potential IDOR in Commerce carts
An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-31867
reference_id
reference_type
scores
0
value 0.00072
scoring_system epss
scoring_elements 0.21977
published_at 2026-06-07T12:55:00Z
1
value 0.00072
scoring_system epss
scoring_elements 0.21931
published_at 2026-06-09T12:55:00Z
2
value 0.00072
scoring_system epss
scoring_elements 0.2192
published_at 2026-06-08T12:55:00Z
3
value 0.00072
scoring_system epss
scoring_elements 0.22025
published_at 2026-06-06T12:55:00Z
4
value 0.00072
scoring_system epss
scoring_elements 0.22039
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-31867
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/pull/4207
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T13:49:40Z/
url https://github.com/craftcms/commerce/pull/4207
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-31867
reference_id CVE-2026-31867
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-31867
4
reference_url https://github.com/advisories/GHSA-vff3-pqq8-4cpq
reference_id GHSA-vff3-pqq8-4cpq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vff3-pqq8-4cpq
5
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq
reference_id GHSA-vff3-pqq8-4cpq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T13:49:40Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq
fixed_packages
0
url pkg:composer/craftcms/commerce@5.6.0
purl pkg:composer/craftcms/commerce@5.6.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0
aliases CVE-2026-31867, GHSA-vff3-pqq8-4cpq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mq6x-g8rw-ebck
10
url VCID-n9wn-yadg-1bbs
vulnerability_id VCID-n9wn-yadg-1bbs
summary 
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the **Store Management** section are not properly sanitized before being displayed in the admin panel.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25522
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.10306
published_at 2026-06-07T12:55:00Z
1
value 0.00034
scoring_system epss
scoring_elements 0.10329
published_at 2026-06-05T12:55:00Z
2
value 0.00034
scoring_system epss
scoring_elements 0.10252
published_at 2026-06-09T12:55:00Z
3
value 0.00034
scoring_system epss
scoring_elements 0.10222
published_at 2026-06-08T12:55:00Z
4
value 0.00034
scoring_system epss
scoring_elements 0.10349
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25522
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
3
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
4
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25522
reference_id CVE-2026-25522
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25522
6
reference_url https://github.com/advisories/GHSA-h9r9-2pxg-cx9m
reference_id GHSA-h9r9-2pxg-cx9m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h9r9-2pxg-cx9m
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m
reference_id GHSA-h9r9-2pxg-cx9m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1aw3-g7fu-cqhq
1
vulnerability VCID-1xrw-7mm9-6bgv
2
vulnerability VCID-6cnk-bxvk-bqd5
3
vulnerability VCID-ce4y-92tx-93h3
4
vulnerability VCID-d2vn-69x5-77e3
5
vulnerability VCID-df4p-6796-9beh
6
vulnerability VCID-hacw-wce3-suf5
7
vulnerability VCID-mq6x-g8rw-ebck
8
vulnerability VCID-ungn-7sen-17cg
9
vulnerability VCID-vrav-rf43-pqba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25522, GHSA-h9r9-2pxg-cx9m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n9wn-yadg-1bbs
11
url VCID-neek-y6ze-5yad
vulnerability_id VCID-neek-y6ze-5yad
summary 
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
A stored DOM XSS vulnerability exists in the **"Recent Orders"** dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard.

Users are recommended to update to the patched 5.5.2 release to mitigate the issue.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25482
reference_id
reference_type
scores
0
value 0.00029
scoring_system epss
scoring_elements 0.08785
published_at 2026-06-09T12:55:00Z
1
value 0.00029
scoring_system epss
scoring_elements 0.08743
published_at 2026-06-08T12:55:00Z
2
value 0.00029
scoring_system epss
scoring_elements 0.08789
published_at 2026-06-07T12:55:00Z
3
value 0.00029
scoring_system epss
scoring_elements 0.08808
published_at 2026-06-06T12:55:00Z
4
value 0.00029
scoring_system epss
scoring_elements 0.08792
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25482
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/
url https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65
3
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
4
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25482
reference_id CVE-2026-25482
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25482
6
reference_url https://github.com/advisories/GHSA-frj9-9rwc-pw9j
reference_id GHSA-frj9-9rwc-pw9j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-frj9-9rwc-pw9j
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j
reference_id GHSA-frj9-9rwc-pw9j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1aw3-g7fu-cqhq
1
vulnerability VCID-1xrw-7mm9-6bgv
2
vulnerability VCID-6cnk-bxvk-bqd5
3
vulnerability VCID-ce4y-92tx-93h3
4
vulnerability VCID-d2vn-69x5-77e3
5
vulnerability VCID-df4p-6796-9beh
6
vulnerability VCID-hacw-wce3-suf5
7
vulnerability VCID-mq6x-g8rw-ebck
8
vulnerability VCID-ungn-7sen-17cg
9
vulnerability VCID-vrav-rf43-pqba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25482, GHSA-frj9-9rwc-pw9j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-neek-y6ze-5yad
12
url VCID-nr33-778p-6kfg
vulnerability_id VCID-nr33-778p-6kfg
summary 
Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the **Store Management** section is not properly sanitized before being displayed in the admin panel.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25486
reference_id
reference_type
scores
0
value 0.00024
scoring_system epss
scoring_elements 0.06933
published_at 2026-06-08T12:55:00Z
1
value 0.00024
scoring_system epss
scoring_elements 0.06979
published_at 2026-06-05T12:55:00Z
2
value 0.00024
scoring_system epss
scoring_elements 0.06941
published_at 2026-06-09T12:55:00Z
3
value 0.00024
scoring_system epss
scoring_elements 0.06984
published_at 2026-06-06T12:55:00Z
4
value 0.00024
scoring_system epss
scoring_elements 0.0697
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25486
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
3
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25486
reference_id CVE-2026-25486
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25486
5
reference_url https://github.com/advisories/GHSA-g92v-wpv7-6w22
reference_id GHSA-g92v-wpv7-6w22
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g92v-wpv7-6w22
6
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
reference_id GHSA-g92v-wpv7-6w22
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1aw3-g7fu-cqhq
1
vulnerability VCID-1xrw-7mm9-6bgv
2
vulnerability VCID-6cnk-bxvk-bqd5
3
vulnerability VCID-ce4y-92tx-93h3
4
vulnerability VCID-d2vn-69x5-77e3
5
vulnerability VCID-df4p-6796-9beh
6
vulnerability VCID-hacw-wce3-suf5
7
vulnerability VCID-mq6x-g8rw-ebck
8
vulnerability VCID-ungn-7sen-17cg
9
vulnerability VCID-vrav-rf43-pqba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25486, GHSA-g92v-wpv7-6w22
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nr33-778p-6kfg
13
url VCID-tedj-1vqg-nkfc
vulnerability_id VCID-tedj-1vqg-nkfc
summary 
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25490
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07483
published_at 2026-06-07T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.07498
published_at 2026-06-05T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07448
published_at 2026-06-09T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07437
published_at 2026-06-08T12:55:00Z
4
value 0.00025
scoring_system epss
scoring_elements 0.07505
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25490
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
3
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
4
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25490
reference_id CVE-2026-25490
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25490
6
reference_url https://github.com/advisories/GHSA-wq2m-r96q-crrf
reference_id GHSA-wq2m-r96q-crrf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wq2m-r96q-crrf
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf
reference_id GHSA-wq2m-r96q-crrf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1aw3-g7fu-cqhq
1
vulnerability VCID-1xrw-7mm9-6bgv
2
vulnerability VCID-6cnk-bxvk-bqd5
3
vulnerability VCID-ce4y-92tx-93h3
4
vulnerability VCID-d2vn-69x5-77e3
5
vulnerability VCID-df4p-6796-9beh
6
vulnerability VCID-hacw-wce3-suf5
7
vulnerability VCID-mq6x-g8rw-ebck
8
vulnerability VCID-ungn-7sen-17cg
9
vulnerability VCID-vrav-rf43-pqba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25490, GHSA-wq2m-r96q-crrf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tedj-1vqg-nkfc
14
url VCID-u5z2-9z44-8kd8
vulnerability_id VCID-u5z2-9z44-8kd8
summary 
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the **Store Management** section is not properly sanitized before being displayed in the admin panel.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25487
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07483
published_at 2026-06-07T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.07498
published_at 2026-06-05T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07448
published_at 2026-06-09T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07437
published_at 2026-06-08T12:55:00Z
4
value 0.00025
scoring_system epss
scoring_elements 0.07505
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25487
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
3
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
4
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25487
reference_id CVE-2026-25487
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25487
6
reference_url https://github.com/advisories/GHSA-wqc5-485v-3hqh
reference_id GHSA-wqc5-485v-3hqh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wqc5-485v-3hqh
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh
reference_id GHSA-wqc5-485v-3hqh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1aw3-g7fu-cqhq
1
vulnerability VCID-1xrw-7mm9-6bgv
2
vulnerability VCID-6cnk-bxvk-bqd5
3
vulnerability VCID-ce4y-92tx-93h3
4
vulnerability VCID-d2vn-69x5-77e3
5
vulnerability VCID-df4p-6796-9beh
6
vulnerability VCID-hacw-wce3-suf5
7
vulnerability VCID-mq6x-g8rw-ebck
8
vulnerability VCID-ungn-7sen-17cg
9
vulnerability VCID-vrav-rf43-pqba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25487, GHSA-wqc5-485v-3hqh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u5z2-9z44-8kd8
15
url VCID-ungn-7sen-17cg
vulnerability_id VCID-ungn-7sen-17cg
summary 
Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments
### Summary

`PaymentsController::actionPay` discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment.

The JSON error response includes the serialized order object (`order`), which contains some sensitive fields such as customer email, shipping address, and billing address.

### Details

I manually audited frontend payment flows and found that `actionPay()` retrieves orders by number before authorization is fully enforced.

Code path:

1. Load order by `number`.
2. Evaluate whether payment is authorized for completed orders (`number + matching email`).
3. If unauthorized, return failure.
4. Failure response still includes `cartArray($order)`, which serializes sensitive order data.

Why is this a vulnerability?

- Authorization logic says the requester is not allowed to pay for a completed order without an email.
- But the response still returns the same completed order’s contents.

### Impact

Type: Information Disclosure / Broken Access Control

Who is impacted:

- Any Commerce deployment where completed order numbers can be obtained or leaked.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32270
reference_id
reference_type
scores
0
value 0.0009
scoring_system epss
scoring_elements 0.2554
published_at 2026-06-06T12:55:00Z
1
value 0.0009
scoring_system epss
scoring_elements 0.25437
published_at 2026-06-08T12:55:00Z
2
value 0.0009
scoring_system epss
scoring_elements 0.25496
published_at 2026-06-07T12:55:00Z
3
value 0.0009
scoring_system epss
scoring_elements 0.25446
published_at 2026-06-09T12:55:00Z
4
value 0.0009
scoring_system epss
scoring_elements 0.25553
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32270
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08
reference_id
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/
url https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08
3
reference_url https://github.com/craftcms/commerce/releases/tag/4.11.0
reference_id
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/
url https://github.com/craftcms/commerce/releases/tag/4.11.0
4
reference_url https://github.com/craftcms/commerce/releases/tag/5.6.0
reference_id
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/
url https://github.com/craftcms/commerce/releases/tag/5.6.0
5
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32270
reference_id
reference_type
scores
0
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32270
7
reference_url https://github.com/advisories/GHSA-3vxg-x5f8-f5qf
reference_id GHSA-3vxg-x5f8-f5qf
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3vxg-x5f8-f5qf
fixed_packages
0
url pkg:composer/craftcms/commerce@5.6.0
purl pkg:composer/craftcms/commerce@5.6.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0
aliases CVE-2026-32270, GHSA-3vxg-x5f8-f5qf
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ungn-7sen-17cg
16
url VCID-vrav-rf43-pqba
vulnerability_id VCID-vrav-rf43-pqba
summary 
Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
Craft Commerce is vulnerable to **SQL Injection** in the inventory levels table data endpoint. The `sort[0][direction]` and `sort[0][sortField]` parameters are concatenated directly into an `addOrderBy()` clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29174
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.031
published_at 2026-06-09T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.03126
published_at 2026-06-08T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.03144
published_at 2026-06-07T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.03192
published_at 2026-06-06T12:55:00Z
4
value 0.00015
scoring_system epss
scoring_elements 0.03183
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29174
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:09:58Z/
url https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7
3
reference_url https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:09:58Z/
url https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29174
reference_id CVE-2026-29174
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29174
5
reference_url https://github.com/advisories/GHSA-pmgj-gmm4-jh6j
reference_id GHSA-pmgj-gmm4-jh6j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pmgj-gmm4-jh6j
6
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j
reference_id GHSA-pmgj-gmm4-jh6j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:09:58Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.3
purl pkg:composer/craftcms/commerce@5.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d2vn-69x5-77e3
1
vulnerability VCID-df4p-6796-9beh
2
vulnerability VCID-mq6x-g8rw-ebck
3
vulnerability VCID-ungn-7sen-17cg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3
aliases CVE-2026-29174, GHSA-pmgj-gmm4-jh6j
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vrav-rf43-pqba
17
url VCID-y94j-5xet-afap
vulnerability_id VCID-y94j-5xet-afap
summary 
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the **Store Management** section are not properly sanitized before being displayed in the admin panel.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25488
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07483
published_at 2026-06-07T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.07498
published_at 2026-06-05T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07448
published_at 2026-06-09T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07437
published_at 2026-06-08T12:55:00Z
4
value 0.00025
scoring_system epss
scoring_elements 0.07505
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25488
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
3
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
4
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25488
reference_id CVE-2026-25488
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25488
6
reference_url https://github.com/advisories/GHSA-p6w8-q63m-72c8
reference_id GHSA-p6w8-q63m-72c8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p6w8-q63m-72c8
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8
reference_id GHSA-p6w8-q63m-72c8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1aw3-g7fu-cqhq
1
vulnerability VCID-1xrw-7mm9-6bgv
2
vulnerability VCID-6cnk-bxvk-bqd5
3
vulnerability VCID-ce4y-92tx-93h3
4
vulnerability VCID-d2vn-69x5-77e3
5
vulnerability VCID-df4p-6796-9beh
6
vulnerability VCID-hacw-wce3-suf5
7
vulnerability VCID-mq6x-g8rw-ebck
8
vulnerability VCID-ungn-7sen-17cg
9
vulnerability VCID-vrav-rf43-pqba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25488, GHSA-p6w8-q63m-72c8
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y94j-5xet-afap
18
url VCID-yku6-t384-xkdu
vulnerability_id VCID-yku6-t384-xkdu
summary 
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the **Name & Description** fields in **Tax Zones** are not properly sanitized before being displayed in the admin panel.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25489
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07498
published_at 2026-06-05T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.07448
published_at 2026-06-09T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07437
published_at 2026-06-08T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07483
published_at 2026-06-07T12:55:00Z
4
value 0.00025
scoring_system epss
scoring_elements 0.07505
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25489
1
reference_url https://github.com/craftcms/commerce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/commerce
2
reference_url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/
url https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
3
reference_url https://github.com/craftcms/commerce/releases/tag/4.10.1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/
url https://github.com/craftcms/commerce/releases/tag/4.10.1
4
reference_url https://github.com/craftcms/commerce/releases/tag/5.5.2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/
url https://github.com/craftcms/commerce/releases/tag/5.5.2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25489
reference_id CVE-2026-25489
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25489
6
reference_url https://github.com/advisories/GHSA-v585-mf6r-rqrc
reference_id GHSA-v585-mf6r-rqrc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v585-mf6r-rqrc
7
reference_url https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc
reference_id GHSA-v585-mf6r-rqrc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/
url https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc
fixed_packages
0
url pkg:composer/craftcms/commerce@5.5.2
purl pkg:composer/craftcms/commerce@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1aw3-g7fu-cqhq
1
vulnerability VCID-1xrw-7mm9-6bgv
2
vulnerability VCID-6cnk-bxvk-bqd5
3
vulnerability VCID-ce4y-92tx-93h3
4
vulnerability VCID-d2vn-69x5-77e3
5
vulnerability VCID-df4p-6796-9beh
6
vulnerability VCID-hacw-wce3-suf5
7
vulnerability VCID-mq6x-g8rw-ebck
8
vulnerability VCID-ungn-7sen-17cg
9
vulnerability VCID-vrav-rf43-pqba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2
aliases CVE-2026-25489, GHSA-v585-mf6r-rqrc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yku6-t384-xkdu
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.1.0-beta.3