Lucene search
+L

240 matches found

cnnvd
cnnvd
added 2026/03/10 12:0 a.m.8 views

Craft Commerce 跨站脚本漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions of Craft Commerce prior to 5.5.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper HTML escaping during the rendering of product titles, variant titles, an...

8.6CVSS5.7AI score0.00204EPSS
Exploits1References2
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.6 views

PT-2026-24418

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an...

4.8CVSS6AI score0.00234EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.4 views

PT-2026-24415

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...

4.8CVSS5.9AI score0.00318EPSS
Exploits1References4
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.3 views

PT-2026-24629

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the inject...

4.8CVSS5.8AI score
Exploits0References4
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.5 views

PT-2026-24627

Summary Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part column name is passed directly as an array key to orderBy without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an...

8.7CVSS5.9AI score
Exploits0References5
cnnvd
cnnvd
added 2026/03/10 12:0 a.m.8 views

Craft Commerce 跨站脚本漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions prior to 4.10.2 and 5.5.3 of Craft Commerce contained a cross-site scripting vulnerability. This vulnerability stemmed from improper filtering of the Shipping Method Name, Order Reference, or Si...

5.4CVSS5.7AI score0.00211EPSS
Exploits1References2
cnnvd
cnnvd
added 2026/03/10 12:0 a.m.8 views

Craft Commerce SQL注入漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions of Craft Commerce prior to 5.5.3 contained a SQL injection vulnerability. This vulnerability stemmed from the direct concatenation of sort parameters into SQL statements without proper validatio...

8.8CVSS5.8AI score0.00436EPSS
Exploits1References3
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.11 views

PT-2026-24416

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort0direction and sort0sortField parameters are concatenated directly into an addOrderBy clause without any validation or...

8.7CVSS6AI score0.00436EPSS
Exploits1References4
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.4 views

PT-2026-24637

An Insecure Direct Object Reference IDOR vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII...

6.3CVSS5.8AI score
Exploits0References4
cnnvd
cnnvd
added 2026/03/10 12:0 a.m.9 views

Craft Commerce SQL注入漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions prior to 4.10.2 and 5.5.3 of Craft Commerce contained a SQL injection vulnerability. This vulnerability stemmed from the sort parameter in the purchasesables table being used directly in SQL...

8.8CVSS5.9AI score0.00421EPSS
Exploits1References3
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.8 views

PT-2026-24653

An Insecure Direct Object Reference IDOR vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII...

6.3CVSS5.8AI score0.00284EPSS
Exploits1References6
cnnvd
cnnvd
added 2026/03/10 12:0 a.m.8 views

Craft Commerce 跨站脚本漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions of Craft Commerce prior to 5.5.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper HTML escaping during the rendering of the Name field on the Commerce...

4.8CVSS5.7AI score0.00234EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.10 views

PT-2026-24414

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part column name is passed directly as an array key to orderBy without whitelist...

8.7CVSS5.9AI score0.00421EPSS
Exploits1References4
veracode
veracode
added 2026/02/09 8:38 p.m.8 views

Cross-site Scripting (XSS)

craftcms/commerce is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of the Shipping Zone name and description fields in the Store Management section, which allows an attacker to inject and execute malicious JavaScript in an administrator’s browser via th...

6.1CVSS5.6AI score0.00261EPSS
Exploits1References5Affected Software1
redhatcve
redhatcve
added 2026/02/04 7:36 p.m.5 views

CVE-2026-25490

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in...

6.1CVSS5.5AI score0.00261EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/02/04 7:28 p.m.3 views

CVE-2026-25482

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowi...

6.2CVSS5.5AI score0.00304EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/02/04 7:28 p.m.3 views

CVE-2026-25488

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories Name & Descripti...

6.1CVSS5.4AI score0.00261EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/02/04 7:28 p.m.4 views

CVE-2026-25489

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Ta...

6.1CVSS5.4AI score0.00283EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/02/04 7:28 p.m.4 views

CVE-2026-25485

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories Name &...

6.2CVSS5.4AI score0.00261EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/02/04 7:28 p.m.3 views

CVE-2026-25522

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone Name & Descriptio...

6.1CVSS5.4AI score0.00261EPSS
Exploits1References1
Rows per page
Query Builder