Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3.
Published: 2026-03-10
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in inventory location names
Action: Apply Patch
AI Analysis

Impact

Craft Commerce contains a stored XSS flaw in the Inventory Locations page; the Name field is output without HTML escaping, letting an attacker inject arbitrary JavaScript. When an administrator or a user with product editing rights creates or edits a variant product, the malicious script runs in the browser of any user who views the location, potentially allowing data theft, session hijacking, or defacement.

Affected Systems

The vulnerability affects all deployments of Craft Commerce for Craft CMS running any release prior to version 5.5.3. This includes all users who manage inventory locations or edit product variants.

Risk and Exploitability

The CVSS score of 4.8 indicates medium severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog, implying no public knowledge of exploits. Based on the description, it is inferred that the attack vector requires an authenticated session with the permissions to edit inventory locations, typically granted to administrators or product editors. An attacker could thereby embed malicious code into the location name and cause it to execute for any subsequent viewer.

Generated by OpenCVE AI on April 16, 2026 at 03:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to version 5.5.3 or later, which removes the insecure rendering of the Name field.
  • If custom code renders inventory names, wrap the output with proper HTML escaping, such as PHP’s htmlspecialchars, to ensure no script execution can occur.
  • Limit inventory-location editing permissions to trusted administrators and enforce least‑privilege policy to reduce the risk of malicious input from untrusted users.

Generated by OpenCVE AI on April 16, 2026 at 03:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wj89-2385-gpx3 Craft Commerce has stored XSS in Inventory Location Name
History

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 10 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3.
Title Craft Commerce has Stored XSS in Inventory Location Name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T20:12:39.491Z

Reserved: 2026-03-04T14:44:00.713Z

Link: CVE-2026-29176

cve-icon Vulnrichment

Updated: 2026-03-10T20:11:42.509Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:38.853

Modified: 2026-03-11T15:08:01.253

Link: CVE-2026-29176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses