17 matches found
CVE-2026-29174
CVE-2026-29174 : Craft Commerce (Craft CMS) is vulnerable to SQL injection in the inventory levels endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated into addOrderBy() without validation, allowing an authenticated attacker with access to the Commerce Inventory sec...
CVE-2026-25483
Craft Commerce for Craft CMS is affected by a stored XSS in the Order Status History Message. The vulnerability arises because orderHistory.message is rendered with the |md filter, which allows raw HTML, enabling script execution that can lead to database exfiltration when a privileged user with ...
CVE-2026-25485
Craft Commerce (for Craft CMS) contains a stored XSS vulnerability in the Shipping Categories fields (Name & Description) in the admin Store Management panel. Affected versions: 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1. The issue arises from insufficient sanitization before rendering in t...
CVE-2026-25489
Craft Commerce (Craft CMS) has a stored XSS vulnerability in the Tax Zones Name and Description fields that can execute injected JavaScript in an administrator’s browser. Affected versions are 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1; the issue arises because sanitization is insufficient ...
CVE-2026-25522
Craft Commerce (for Craft CMS) has a stored XSS in the Shipping Zone (Name & Description) fields, affecting versions 4.0.0-RC1–4.10.0 and 5.0.0–5.5.1. The root cause is improper sanitization when rendering these fields in the admin panel, enabling attacker-controlled JavaScript execution in an ad...
CVE-2026-25486
CVE-2026-25486 : Craft Commerce (Craft CMS) versions 5.0.0–5.5.1 contain a stored XSS in the Shipping Methods Name field in Store Management, allowing an attacker with store settings/shipping permissions to execute malicious JavaScript in an administrator’s browser. The issue is fixed in version ...
CVE-2026-25490
CVE-2026-25490 describes a stored XSS in Craft Commerce (Craft CMS) affecting versions 4.0.0-RC1–4.10.0 and 5.0.0–5.5.1. The vulnerability stems from improper sanitization of the Address Line 1 field in Inventory Locations, allowing malicious JavaScript to run in an administrator’s browser when t...
CVE-2026-25487
CVE-2026-25487 affects Craft Commerce (Craft CMS). A stored XSS flaw exists in the Tax Rates Name field displayed in the admin Store Management panel. Affected versions are 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1. The issue enables attackers with store settings/taxes permissions to injec...
CVE-2026-25488
Craft Commerce (Craft CMS) has a stored XSS in the Tax Categories (Name & Description) fields under Store Management, affecting versions 4.0.0-RC1–4.10.0 and 5.0.0–5.5.1. Unescaped input displayed in the admin panel can execute arbitrary JavaScript in an administrator’s browser, with potential pr...
CVE-2026-31867
Craft Commerce (Craft CMS) Before versions 4.11.0 and 5.6.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the cart loading/modification flow. The CartController accepts a user-supplied 32-character cart number and loads a cart without ownership validation, allowing an attack...
CVE-2026-25484
CVE-2026-25484 affects Craft Commerce (Craft CMS) with Stored XSS in Product Type names. Versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allow unsanitized input in Commerce Product Type settings to be displayed in the CMS user permissions interface, enabling stored cross-site scripting....
CVE-2026-25482
Craft Commerce (Craft CMS) is affected by a stored DOM XSS in the Recent Orders dashboard widget. Versions 4.0.0-RC1–4.10.0 and 5.0.0–5.5.1 render the Order Status Name via JavaScript string concatenation without proper escaping, enabling script execution when an admin visits the dashboard. This ...
CVE-2026-29172
Craft Commerce (Craft CMS) is affected by a SQL Injection in the purchasables table sorting. Prior to versions 4.10.2 and 5.5.3, the sort parameter is split by | and the first part (column name) is used directly as an array key in orderBy() without whitelist validation, allowing an authenticated ...
CVE-2026-29177
Summary of vulnerability (CVE-2026-29177) : Craft Commerce for Craft CMS has a stored XSS flaw in the Order Details slideout. User-supplied input in fields such as the Shipping Method Name, Order Reference, or Site Name can inject JavaScript that executes when a user opens the order details via d...
CVE-2026-29173
Craft Commerce (for Craft CMS) has a stored XSS vulnerability that affects the Order Status name field when updating the status from the Commerce Orders Table. The issue occurs prior to versions 4.10.2 and 5.5.3, where the Status Name is rendered without proper escaping, enabling script execution...
CVE-2026-29175
CVE-2026-29175 affects Craft Commerce (Craft CMS). Prior to version 5.5.3, stored XSS exists on the Commerce Inventory page where Product Title, Variant Title, and Variant SKU are rendered without HTML escaping. An attacker could cause arbitrary JavaScript to run when any user (including admins) ...
CVE-2026-29176
CVE-2026-29176 affects Craft Commerce (Craft CMS). A stored XSS exists in the Commerce Settings – Inventory Locations page where the Name field is not properly HTML-escaped. The vulnerability is triggered when an administrator (or a user with product-editing permissions) creates or edits a varian...