Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-8wtv-3a2u-efhn
Vulnerability ID VCID-8wtv-3a2u-efhn
Aliases CVE-2026-29177
GHSA-mj32-r678-7mvp
Summary Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-29177
cvssv3.1_qr LOW https://github.com/advisories/GHSA-mj32-r678-7mvp
cvssv4 1.9 https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
ssvc Track https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
cvssv3.1_qr LOW https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
cvssv4 1.9 https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
ssvc Track https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-29177
b0683e04773f16bba6af9df18aab495fc5dde68a https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
CVE-2026-29177 https://nvd.nist.gov/vuln/detail/CVE-2026-29177
GHSA-mj32-r678-7mvp https://github.com/advisories/GHSA-mj32-r678-7mvp
GHSA-mj32-r678-7mvp https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/ Found at https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:07:59Z/ Found at https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
Exploit Prediction Scoring System (EPSS)
Percentile 0.02427
EPSS Score 0.00014
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:46:54.871795+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/29xxx/CVE-2026-29177.json 38.6.0