Lucene search
K

237 matches found

Github Security Blog
Github Security Blog
added 2026/03/10 6:24 p.m.7 views

Craft Commerce has stored XSS in Craft Commerce Order Details Slideout

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the inject...

5.4CVSS5.8AI score0.00211EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/10 6:23 p.m.2 views

GHSA-WJ89-2385-GPX3 Craft Commerce has stored XSS in Inventory Location Name

Summary A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator or user with product editing permissions creates or...

4.8CVSS6AI score0.00234EPSS
Exploits0References4
Snyk
Snyk
added 2026/03/10 6:23 p.m.2 views

Cross-site Scripting (XSS)

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering process of the Name field in the inventory locations table. An attacker can execute arbitrary JavaScript code by injecting malicious payloads into the Name...

4.8CVSS5.7AI score0.00234EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/10 6:23 p.m.4 views

Craft Commerce has stored XSS in Inventory Location Name

Summary A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator or user with product editing permissions creates or...

4.8CVSS6AI score0.00234EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/03/10 6:23 p.m.4 views

EUVD-2026-10818

Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking...

8.6CVSS5.8AI score0.00204EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/10 6:23 p.m.7 views

Cross-site Scripting (XSS)

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering of unescaped user input in the inventory management page fields. An attacker can execute arbitrary JavaScript in the context of an authenticated user's...

8.6CVSS5.7AI score0.00204EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/10 6:23 p.m.12 views

EUVD-2026-10816

Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting...

8.7CVSS5.8AI score0.00436EPSS
Exploits1References3
OSV
OSV
added 2026/03/10 6:23 p.m.4 views

GHSA-PMGJ-GMM4-JH6J Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting

Summary Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort0direction and sort0sortField parameters are concatenated directly into an addOrderBy clause without any validation or sanitization. An authenticated attacker with access to the Commerce...

8.7CVSS6AI score0.00436EPSS
Exploits1References5
Snyk
Snyk
added 2026/03/10 6:23 p.m.3 views

SQL Injection

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to SQL Injection in the processing of the sort0direction and sort0sortField parameters within the inventory levels table data endpoint. An attacker can execute arbitrary SQL commands by supplying craft...

8.8CVSS6.2AI score0.00436EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/10 6:23 p.m.6 views

Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting

Summary Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort0direction and sort0sortField parameters are concatenated directly into an addOrderBy clause without any validation or sanitization. An authenticated attacker with access to the Commerce...

8.8CVSS6AI score0.00436EPSS
Exploits1References5Affected Software1
EUVD
EUVD
added 2026/03/10 6:23 p.m.4 views

EUVD-2026-10814

Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table...

4.8CVSS5.8AI score0.00318EPSS
Exploits1References3
Snyk
Snyk
added 2026/03/10 6:23 p.m.2 views

Cross-site Scripting (XSS)

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Name field when updating order statuses in the orders table. An attacker can execute arbitrary JavaScript code in the context of an administrator's browser by...

4.8CVSS5.7AI score0.00318EPSS
Exploits1References2
OSV
OSV
added 2026/03/10 6:23 p.m.4 views

GHSA-MQXF-2998-C6CP Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table

Summary A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. --- Proof of Concept Required Permissions - Admin access to edit/create Order...

4.8CVSS5.9AI score0.00318EPSS
Exploits1References5
OSV
OSV
added 2026/03/10 6:23 p.m.2 views

GHSA-J3X5-MGHF-XVFW Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting

Summary Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part column name is passed directly as an array key to orderBy without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an...

8.7CVSS5.9AI score0.00421EPSS
Exploits1References5
EUVD
EUVD
added 2026/03/10 6:23 p.m.5 views

EUVD-2026-10813

Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting...

8.7CVSS5.8AI score0.00421EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/03/10 6:23 p.m.6 views

Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting

Summary Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part column name is passed directly as an array key to orderBy without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an...

8.8CVSS5.9AI score0.00421EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.8 views

PT-2026-24653

An Insecure Direct Object Reference IDOR vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII...

6.3CVSS5.8AI score0.00284EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/03/10 12:0 a.m.7 views

Craft Commerce 跨站脚本漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions prior to 4.10.2 and 5.5.3 of Craft Commerce contained a cross-site scripting vulnerability. This vulnerability stemmed from improper escaping of order status names during rendering, which could...

4.8CVSS5.7AI score0.00318EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/03/10 12:0 a.m.8 views

Craft Commerce 跨站脚本漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions of Craft Commerce prior to 5.5.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper HTML escaping during the rendering of product titles, variant titles, an...

8.6CVSS5.7AI score0.00204EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.3 views

PT-2026-24629

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the inject...

4.8CVSS5.8AI score
Exploits0References4
Rows per page
Query Builder