{"url":"http://public2.vulnerablecode.io/api/packages/955239?format=json","purl":"pkg:composer/craftcms/commerce@5.3.2.1","type":"composer","namespace":"craftcms","name":"commerce","version":"5.3.2.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.6.0","latest_non_vulnerable_version":"5.6.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50814?format=json","vulnerability_id":"VCID-1aw3-g7fu-cqhq","summary":"Craft Commerce has stored XSS in Craft Commerce Order Details Slideout\nA Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the **Shipping Method Name**, **Order Reference**, or **Site Name**. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29177","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02459","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02403","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02443","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02517","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02515","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29177"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/"}],"url":"https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29177","reference_id":"CVE-2026-29177","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29177"},{"reference_url":"https://github.com/advisories/GHSA-mj32-r678-7mvp","reference_id":"GHSA-mj32-r678-7mvp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mj32-r678-7mvp"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp","reference_id":"GHSA-mj32-r678-7mvp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74582?format=json","purl":"pkg:composer/craftcms/commerce@5.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3"}],"aliases":["CVE-2026-29177","GHSA-mj32-r678-7mvp"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1aw3-g7fu-cqhq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50794?format=json","vulnerability_id":"VCID-1xrw-7mm9-6bgv","summary":"Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking\nStored XSS vulnerabilities exist in the Commerce Inventory page. The **Product Title**, **Variant Title**, and **Variant SKU** fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page.\n\nThis vulnerability enables **session hijacking** by fetching the PHP Info utility page, which displays unmasked session cookies. Unlike other XSS chains that require elevated sessions, this attack provides instant access to the victim’s session - no additional user interaction or elevated session approval required.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29175","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02823","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02775","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02807","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02876","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02869","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29175"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:11:05Z/"}],"url":"https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29175","reference_id":"CVE-2026-29175","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29175"},{"reference_url":"https://github.com/advisories/GHSA-cfpv-rmpf-f624","reference_id":"GHSA-cfpv-rmpf-f624","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cfpv-rmpf-f624"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624","reference_id":"GHSA-cfpv-rmpf-f624","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:11:05Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74582?format=json","purl":"pkg:composer/craftcms/commerce@5.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3"}],"aliases":["CVE-2026-29175","GHSA-cfpv-rmpf-f624"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1xrw-7mm9-6bgv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49931?format=json","vulnerability_id":"VCID-33k1-1cba-7uah","summary":"Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration\nA stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the `|md` filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes.\n\nUsers are recommended to update to the patched 5.5.2 release to mitigate the issue.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25483","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04734","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04719","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04696","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04746","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04762","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25483"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/"}],"url":"https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25483","reference_id":"CVE-2026-25483","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25483"},{"reference_url":"https://github.com/advisories/GHSA-8478-rmjg-mjj5","reference_id":"GHSA-8478-rmjg-mjj5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8478-rmjg-mjj5"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5","reference_id":"GHSA-8478-rmjg-mjj5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:22Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73767?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1aw3-g7fu-cqhq"},{"vulnerability":"VCID-1xrw-7mm9-6bgv"},{"vulnerability":"VCID-6cnk-bxvk-bqd5"},{"vulnerability":"VCID-ce4y-92tx-93h3"},{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-hacw-wce3-suf5"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"},{"vulnerability":"VCID-vrav-rf43-pqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25483","GHSA-8478-rmjg-mjj5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-33k1-1cba-7uah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50788?format=json","vulnerability_id":"VCID-6cnk-bxvk-bqd5","summary":"Craft Commerce has stored XSS in Inventory Location Name\nA stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The **Name** field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript.\n\nThis XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29176","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.012","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01204","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01202","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01203","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29176"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/da143df084563ddf0929d7c261bcc11d312e8004","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:48Z/"}],"url":"https://github.com/craftcms/commerce/commit/da143df084563ddf0929d7c261bcc11d312e8004"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29176","reference_id":"CVE-2026-29176","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29176"},{"reference_url":"https://github.com/advisories/GHSA-wj89-2385-gpx3","reference_id":"GHSA-wj89-2385-gpx3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wj89-2385-gpx3"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3","reference_id":"GHSA-wj89-2385-gpx3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:48Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74582?format=json","purl":"pkg:composer/craftcms/commerce@5.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3"}],"aliases":["CVE-2026-29176","GHSA-wj89-2385-gpx3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6cnk-bxvk-bqd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50813?format=json","vulnerability_id":"VCID-ce4y-92tx-93h3","summary":"Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table\nA stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29173","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05108","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05146","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05151","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05165","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29173"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/"}],"url":"https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa"},{"reference_url":"https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/"}],"url":"https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29173","reference_id":"CVE-2026-29173","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29173"},{"reference_url":"https://github.com/advisories/GHSA-mqxf-2998-c6cp","reference_id":"GHSA-mqxf-2998-c6cp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mqxf-2998-c6cp"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp","reference_id":"GHSA-mqxf-2998-c6cp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:09:40Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74582?format=json","purl":"pkg:composer/craftcms/commerce@5.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3"}],"aliases":["CVE-2026-29173","GHSA-mqxf-2998-c6cp"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ce4y-92tx-93h3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89683?format=json","vulnerability_id":"VCID-d2vn-69x5-77e3","summary":"Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget\n## Summary\n\nA SQL injection in the Commerce TotalRevenue widget can lead to remote code execution through a chain of four vulnerabilities:\n\n* SQL Injection -- The TotalRevenue stat interpolates unsanitized widget settings directly into a sprintf-based SQL Expression.  Any control panel user can create any widget type without permission checks.\n\n* PDO Multi-Statement Queries -- PHP `PDO MySQL` enables `CLIENT_MULTI_STATEMENTS` by default. Neither Yii2 nor Craft CMS disables it. This allows stacking an INSERT statement after the injected SELECT , writing a maliciously serialized PHP object into the queue table.\n\n* Unrestricted `unserialize()` -- The yii2-queue PhpSerializer calls `unserialize()` with no allowed_classes restriction on every queue job. When the queue consumer processes the injected job, it instantiates the attacker-controlled object.\n\n* Gadget Chain (FileCookieJar) -- `GuzzleHttp\\Cookie\\FileCookieJar` (a standard Guzzle dependency) has an unguarded `__destruct()` method that calls `file_put_contents()`. The attacker’s serialized payload writes a PHP webshell to the server’s webroot. PHP tags survive `json_encode()` because Guzzle uses `options=0` (no `JSON_HEX_TAG`).\n\nThe complete chain requires 3 HTTP requests and achieves arbitrary command execution as the PHP process user. Queue processing is triggered via GET `/actions/queue/run`, an endpoint that requires no authentication (`$allowAnonymous = ['run']`).\n\n## RCE Exploitation Steps\n\n* Authenticate as any control panel user\n* POST to `/admin/actions/dashboard/create-widget` with stacked SQL injection:\n* `settings[type]` contains the stacked INSERT with the serialized gadget chain\n* Response: HTTP 500 (expected -- INSERT already committed)\n* Trigger queue processing: `GET /actions/queue/run`\n* Queue consumer deserializes the gadget chain\n* `FileCookieJar::__destruct()` writes webshell to webroot\n* Access the webshell: `GET /poc_rce.php?c=id`\n* Response: `uid=1000(home) gid=1000(home) groups=1000(home)`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32271","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23736","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23627","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23621","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23675","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23721","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32271"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:21:36Z/"}],"url":"https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:21:36Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32271","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32271"},{"reference_url":"https://github.com/advisories/GHSA-875v-7m49-8x88","reference_id":"GHSA-875v-7m49-8x88","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-875v-7m49-8x88"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110906?format=json","purl":"pkg:composer/craftcms/commerce@5.5.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.5"},{"url":"http://public2.vulnerablecode.io/api/packages/74657?format=json","purl":"pkg:composer/craftcms/commerce@5.6.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0"}],"aliases":["CVE-2026-32271","GHSA-875v-7m49-8x88"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d2vn-69x5-77e3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89075?format=json","vulnerability_id":"VCID-df4p-6796-9beh","summary":"Craft Commerce hasVariant/hasProduct Blind SQL Injection\n## Overview\n\nCraft Commerce’s `ProductQuery::hasVariant` and `VariantQuery::hasProduct` properties bypass the `unset()` blocklist added to `ElementIndexesController` in GHSA-2453-mppf-46cj.\n\nThe blocklist only strips top-level Yii2 Query properties (`where`, `orderBy`, etc.), but `hasVariant` and `hasProduct` pass\nthrough untouched. Internally, these properties call `Craft::configure()` on a subquery without sanitization, re-introducing SQL injection via `criteria[hasVariant][where]=INJECTED_SQL`.\n\nAn authenticated control panel user can perform boolean-based blind SQL injection through the patched `ElementIndexesController` and extract arbitrary database contents.\n\n## Impact\n\n* Full database read access via blind SQL injection\n* Privilege escalation via security key extraction → forged admin sessions\n\n## Prerequisites\n* Authenticated control panel user\n* Commerce plugin installed\n* Products with variants in the database","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32272","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11895","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11884","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11958","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11996","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12001","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32272"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/pull/4232","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/"}],"url":"https://github.com/craftcms/commerce/pull/4232"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.6.0","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.6.0"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32272","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32272"},{"reference_url":"https://github.com/advisories/GHSA-2453-mppf-46cj","reference_id":"GHSA-2453-mppf-46cj","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T15:28:46Z/"}],"url":"https://github.com/advisories/GHSA-2453-mppf-46cj"},{"reference_url":"https://github.com/advisories/GHSA-r54v-qq87-px5r","reference_id":"GHSA-r54v-qq87-px5r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r54v-qq87-px5r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74657?format=json","purl":"pkg:composer/craftcms/commerce@5.6.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0"}],"aliases":["CVE-2026-32272","GHSA-r54v-qq87-px5r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-df4p-6796-9beh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49928?format=json","vulnerability_id":"VCID-fjsf-jw9z-puac","summary":"Craft Commerce has Stored XSS in Product Type Name\nStored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings.\n\nThe vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. Reporting to Commerce GHSA since the input originates here.\n\nUsers are recommended to update to the patched 5.5.2 release to mitigate the issue.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25484","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05548","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05504","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05545","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05562","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25484"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/"}],"url":"https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25484","reference_id":"CVE-2026-25484","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25484"},{"reference_url":"https://github.com/advisories/GHSA-2h2m-v2mg-656c","reference_id":"GHSA-2h2m-v2mg-656c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2h2m-v2mg-656c"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c","reference_id":"GHSA-2h2m-v2mg-656c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:19Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73767?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1aw3-g7fu-cqhq"},{"vulnerability":"VCID-1xrw-7mm9-6bgv"},{"vulnerability":"VCID-6cnk-bxvk-bqd5"},{"vulnerability":"VCID-ce4y-92tx-93h3"},{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-hacw-wce3-suf5"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"},{"vulnerability":"VCID-vrav-rf43-pqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25484","GHSA-2h2m-v2mg-656c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fjsf-jw9z-puac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50797?format=json","vulnerability_id":"VCID-hacw-wce3-suf5","summary":"Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting\nCraft Commerce is vulnerable to **SQL Injection** in the purchasables table endpoint. The `sort` parameter is split by `|` and the first part (column name) is passed directly as an array key to `orderBy()` without `whitelist` validation. Yii2's query builder does **NOT** escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the `ORDER BY` clause.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29172","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.031","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03126","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03144","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03192","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03183","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29172"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/"}],"url":"https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276"},{"reference_url":"https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/"}],"url":"https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29172","reference_id":"CVE-2026-29172","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29172"},{"reference_url":"https://github.com/advisories/GHSA-j3x5-mghf-xvfw","reference_id":"GHSA-j3x5-mghf-xvfw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j3x5-mghf-xvfw"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw","reference_id":"GHSA-j3x5-mghf-xvfw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74582?format=json","purl":"pkg:composer/craftcms/commerce@5.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3"}],"aliases":["CVE-2026-29172","GHSA-j3x5-mghf-xvfw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hacw-wce3-suf5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50816?format=json","vulnerability_id":"VCID-mq6x-g8rw-ebck","summary":"Craft Commerce: Potential IDOR in Commerce carts\nAn Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31867","reference_id":"","reference_type":"","scores":[{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21977","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21931","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.2192","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22025","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22039","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31867"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/pull/4207","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T13:49:40Z/"}],"url":"https://github.com/craftcms/commerce/pull/4207"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31867","reference_id":"CVE-2026-31867","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31867"},{"reference_url":"https://github.com/advisories/GHSA-vff3-pqq8-4cpq","reference_id":"GHSA-vff3-pqq8-4cpq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vff3-pqq8-4cpq"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq","reference_id":"GHSA-vff3-pqq8-4cpq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T13:49:40Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74657?format=json","purl":"pkg:composer/craftcms/commerce@5.6.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0"}],"aliases":["CVE-2026-31867","GHSA-vff3-pqq8-4cpq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mq6x-g8rw-ebck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49942?format=json","vulnerability_id":"VCID-n9wn-yadg-1bbs","summary":"Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation\nA stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the **Store Management** section are not properly sanitized before being displayed in the admin panel.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25522","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10306","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10329","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10252","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10222","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10349","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25522"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25522","reference_id":"CVE-2026-25522","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25522"},{"reference_url":"https://github.com/advisories/GHSA-h9r9-2pxg-cx9m","reference_id":"GHSA-h9r9-2pxg-cx9m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h9r9-2pxg-cx9m"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m","reference_id":"GHSA-h9r9-2pxg-cx9m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T19:22:16Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73767?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1aw3-g7fu-cqhq"},{"vulnerability":"VCID-1xrw-7mm9-6bgv"},{"vulnerability":"VCID-6cnk-bxvk-bqd5"},{"vulnerability":"VCID-ce4y-92tx-93h3"},{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-hacw-wce3-suf5"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"},{"vulnerability":"VCID-vrav-rf43-pqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25522","GHSA-h9r9-2pxg-cx9m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n9wn-yadg-1bbs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49912?format=json","vulnerability_id":"VCID-neek-y6ze-5yad","summary":"Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in \"Recent Orders\" Dashboard Widget)\nA stored DOM XSS vulnerability exists in the **\"Recent Orders\"** dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard.\n\nUsers are recommended to update to the patched 5.5.2 release to mitigate the issue.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25482","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08785","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08743","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08789","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08808","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08792","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25482"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/"}],"url":"https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25482","reference_id":"CVE-2026-25482","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25482"},{"reference_url":"https://github.com/advisories/GHSA-frj9-9rwc-pw9j","reference_id":"GHSA-frj9-9rwc-pw9j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-frj9-9rwc-pw9j"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j","reference_id":"GHSA-frj9-9rwc-pw9j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:46:23Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73767?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1aw3-g7fu-cqhq"},{"vulnerability":"VCID-1xrw-7mm9-6bgv"},{"vulnerability":"VCID-6cnk-bxvk-bqd5"},{"vulnerability":"VCID-ce4y-92tx-93h3"},{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-hacw-wce3-suf5"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"},{"vulnerability":"VCID-vrav-rf43-pqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25482","GHSA-frj9-9rwc-pw9j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-neek-y6ze-5yad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49932?format=json","vulnerability_id":"VCID-nr33-778p-6kfg","summary":"Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation\nA stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the **Store Management** section is not properly sanitized before being displayed in the admin panel.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25486","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06933","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06979","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06941","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06984","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.0697","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25486"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25486","reference_id":"CVE-2026-25486","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25486"},{"reference_url":"https://github.com/advisories/GHSA-g92v-wpv7-6w22","reference_id":"GHSA-g92v-wpv7-6w22","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g92v-wpv7-6w22"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22","reference_id":"GHSA-g92v-wpv7-6w22","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:10:07Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73767?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1aw3-g7fu-cqhq"},{"vulnerability":"VCID-1xrw-7mm9-6bgv"},{"vulnerability":"VCID-6cnk-bxvk-bqd5"},{"vulnerability":"VCID-ce4y-92tx-93h3"},{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-hacw-wce3-suf5"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"},{"vulnerability":"VCID-vrav-rf43-pqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25486","GHSA-g92v-wpv7-6w22"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nr33-778p-6kfg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49944?format=json","vulnerability_id":"VCID-tedj-1vqg-nkfc","summary":"Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation\nA stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25490","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07483","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07498","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07448","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07437","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07505","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25490"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25490","reference_id":"CVE-2026-25490","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25490"},{"reference_url":"https://github.com/advisories/GHSA-wq2m-r96q-crrf","reference_id":"GHSA-wq2m-r96q-crrf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wq2m-r96q-crrf"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf","reference_id":"GHSA-wq2m-r96q-crrf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:25:17Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73767?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1aw3-g7fu-cqhq"},{"vulnerability":"VCID-1xrw-7mm9-6bgv"},{"vulnerability":"VCID-6cnk-bxvk-bqd5"},{"vulnerability":"VCID-ce4y-92tx-93h3"},{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-hacw-wce3-suf5"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"},{"vulnerability":"VCID-vrav-rf43-pqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25490","GHSA-wq2m-r96q-crrf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tedj-1vqg-nkfc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49918?format=json","vulnerability_id":"VCID-u5z2-9z44-8kd8","summary":"Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation\nA stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the **Store Management** section is not properly sanitized before being displayed in the admin panel.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25487","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07483","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07498","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07448","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07437","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07505","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25487"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25487","reference_id":"CVE-2026-25487","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25487"},{"reference_url":"https://github.com/advisories/GHSA-wqc5-485v-3hqh","reference_id":"GHSA-wqc5-485v-3hqh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wqc5-485v-3hqh"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh","reference_id":"GHSA-wqc5-485v-3hqh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:06Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73767?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1aw3-g7fu-cqhq"},{"vulnerability":"VCID-1xrw-7mm9-6bgv"},{"vulnerability":"VCID-6cnk-bxvk-bqd5"},{"vulnerability":"VCID-ce4y-92tx-93h3"},{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-hacw-wce3-suf5"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"},{"vulnerability":"VCID-vrav-rf43-pqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25487","GHSA-wqc5-485v-3hqh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u5z2-9z44-8kd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89556?format=json","vulnerability_id":"VCID-ungn-7sen-17cg","summary":"Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments\n### Summary\n\n`PaymentsController::actionPay` discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment.\n\nThe JSON error response includes the serialized order object (`order`), which contains some sensitive fields such as customer email, shipping address, and billing address.\n\n### Details\n\nI manually audited frontend payment flows and found that `actionPay()` retrieves orders by number before authorization is fully enforced.\n\nCode path:\n\n1. Load order by `number`.\n2. Evaluate whether payment is authorized for completed orders (`number + matching email`).\n3. If unauthorized, return failure.\n4. Failure response still includes `cartArray($order)`, which serializes sensitive order data.\n\nWhy is this a vulnerability?\n\n- Authorization logic says the requester is not allowed to pay for a completed order without an email.\n- But the response still returns the same completed order’s contents.\n\n### Impact\n\nType: Information Disclosure / Broken Access Control\n\nWho is impacted:\n\n- Any Commerce deployment where completed order numbers can be obtained or leaked.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32270","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.2554","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25437","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25496","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25446","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25553","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32270"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/"}],"url":"https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.11.0","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.11.0"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.6.0","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.6.0"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:24:48Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32270","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32270"},{"reference_url":"https://github.com/advisories/GHSA-3vxg-x5f8-f5qf","reference_id":"GHSA-3vxg-x5f8-f5qf","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3vxg-x5f8-f5qf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74657?format=json","purl":"pkg:composer/craftcms/commerce@5.6.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.6.0"}],"aliases":["CVE-2026-32270","GHSA-3vxg-x5f8-f5qf"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ungn-7sen-17cg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50819?format=json","vulnerability_id":"VCID-vrav-rf43-pqba","summary":"Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting\nCraft Commerce is vulnerable to **SQL Injection** in the inventory levels table data endpoint. The `sort[0][direction]` and `sort[0][sortField]` parameters are concatenated directly into an `addOrderBy()` clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29174","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.031","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03126","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03144","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03192","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03183","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29174"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:09:58Z/"}],"url":"https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7"},{"reference_url":"https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:09:58Z/"}],"url":"https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29174","reference_id":"CVE-2026-29174","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29174"},{"reference_url":"https://github.com/advisories/GHSA-pmgj-gmm4-jh6j","reference_id":"GHSA-pmgj-gmm4-jh6j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pmgj-gmm4-jh6j"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j","reference_id":"GHSA-pmgj-gmm4-jh6j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:09:58Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74582?format=json","purl":"pkg:composer/craftcms/commerce@5.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.3"}],"aliases":["CVE-2026-29174","GHSA-pmgj-gmm4-jh6j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vrav-rf43-pqba"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49955?format=json","vulnerability_id":"VCID-y94j-5xet-afap","summary":"Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation\nA stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the **Store Management** section are not properly sanitized before being displayed in the admin panel.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25488","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07483","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07498","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07448","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07437","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07505","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25488"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25488","reference_id":"CVE-2026-25488","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25488"},{"reference_url":"https://github.com/advisories/GHSA-p6w8-q63m-72c8","reference_id":"GHSA-p6w8-q63m-72c8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p6w8-q63m-72c8"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8","reference_id":"GHSA-p6w8-q63m-72c8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:13:40Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73767?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1aw3-g7fu-cqhq"},{"vulnerability":"VCID-1xrw-7mm9-6bgv"},{"vulnerability":"VCID-6cnk-bxvk-bqd5"},{"vulnerability":"VCID-ce4y-92tx-93h3"},{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-hacw-wce3-suf5"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"},{"vulnerability":"VCID-vrav-rf43-pqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25488","GHSA-p6w8-q63m-72c8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y94j-5xet-afap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49929?format=json","vulnerability_id":"VCID-yku6-t384-xkdu","summary":"Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation\nA stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the **Name & Description** fields in **Tax Zones** are not properly sanitized before being displayed in the admin panel.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25489","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07498","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07448","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07437","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07483","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07505","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25489"},{"reference_url":"https://github.com/craftcms/commerce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/commerce"},{"reference_url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/"}],"url":"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/4.10.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/4.10.1"},{"reference_url":"https://github.com/craftcms/commerce/releases/tag/5.5.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/"}],"url":"https://github.com/craftcms/commerce/releases/tag/5.5.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25489","reference_id":"CVE-2026-25489","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25489"},{"reference_url":"https://github.com/advisories/GHSA-v585-mf6r-rqrc","reference_id":"GHSA-v585-mf6r-rqrc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v585-mf6r-rqrc"},{"reference_url":"https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc","reference_id":"GHSA-v585-mf6r-rqrc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T20:32:00Z/"}],"url":"https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73767?format=json","purl":"pkg:composer/craftcms/commerce@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1aw3-g7fu-cqhq"},{"vulnerability":"VCID-1xrw-7mm9-6bgv"},{"vulnerability":"VCID-6cnk-bxvk-bqd5"},{"vulnerability":"VCID-ce4y-92tx-93h3"},{"vulnerability":"VCID-d2vn-69x5-77e3"},{"vulnerability":"VCID-df4p-6796-9beh"},{"vulnerability":"VCID-hacw-wce3-suf5"},{"vulnerability":"VCID-mq6x-g8rw-ebck"},{"vulnerability":"VCID-ungn-7sen-17cg"},{"vulnerability":"VCID-vrav-rf43-pqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.5.2"}],"aliases":["CVE-2026-25489","GHSA-v585-mf6r-rqrc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yku6-t384-xkdu"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/commerce@5.3.2.1"}