Lucene search
K
CraftcmsCraft Commerce

17 matches found

CVE
CVE
added 2026/03/10 7:55 p.m.42 views

CVE-2026-29174

CVE-2026-29174 : Craft Commerce (Craft CMS) is vulnerable to SQL injection in the inventory levels endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated into addOrderBy() without validation, allowing an authenticated attacker with access to the Commerce Inventory sec...

8.8CVSS6AI score0.00436EPSS
CVE
CVE
added 2026/02/03 6:5 p.m.21 views

CVE-2026-25483

Craft Commerce for Craft CMS is affected by a stored XSS in the Order Status History Message. The vulnerability arises because orderHistory.message is rendered with the |md filter, which allows raw HTML, enabling script execution that can lead to database exfiltration when a privileged user with ...

6.2CVSS5.4AI score0.003EPSS
CVE
CVE
added 2026/02/03 6:6 p.m.20 views

CVE-2026-25485

Craft Commerce (for Craft CMS) contains a stored XSS vulnerability in the Shipping Categories fields (Name & Description) in the admin Store Management panel. Affected versions: 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1. The issue arises from insufficient sanitization before rendering in t...

6.2CVSS5.4AI score0.00261EPSS
CVE
CVE
added 2026/02/03 6:7 p.m.20 views

CVE-2026-25489

Craft Commerce (Craft CMS) has a stored XSS vulnerability in the Tax Zones Name and Description fields that can execute injected JavaScript in an administrator’s browser. Affected versions are 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1; the issue arises because sanitization is insufficient ...

6.1CVSS5.4AI score0.00283EPSS
CVE
CVE
added 2026/02/03 6:10 p.m.20 views

CVE-2026-25522

Craft Commerce (for Craft CMS) has a stored XSS in the Shipping Zone (Name & Description) fields, affecting versions 4.0.0-RC1–4.10.0 and 5.0.0–5.5.1. The root cause is improper sanitization when rendering these fields in the admin panel, enabling attacker-controlled JavaScript execution in an ad...

6.1CVSS5.4AI score0.00261EPSS
CVE
CVE
added 2026/02/03 6:6 p.m.18 views

CVE-2026-25486

CVE-2026-25486 : Craft Commerce (Craft CMS) versions 5.0.0–5.5.1 contain a stored XSS in the Shipping Methods Name field in Store Management, allowing an attacker with store settings/shipping permissions to execute malicious JavaScript in an administrator’s browser. The issue is fixed in version ...

6.1CVSS5.4AI score0.00253EPSS
CVE
CVE
added 2026/02/03 6:9 p.m.18 views

CVE-2026-25490

CVE-2026-25490 describes a stored XSS in Craft Commerce (Craft CMS) affecting versions 4.0.0-RC1–4.10.0 and 5.0.0–5.5.1. The vulnerability stems from improper sanitization of the Address Line 1 field in Inventory Locations, allowing malicious JavaScript to run in an administrator’s browser when t...

6.1CVSS5.5AI score0.00261EPSS
CVE
CVE
added 2026/02/03 6:7 p.m.17 views

CVE-2026-25487

CVE-2026-25487 affects Craft Commerce (Craft CMS). A stored XSS flaw exists in the Tax Rates Name field displayed in the admin Store Management panel. Affected versions are 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1. The issue enables attackers with store settings/taxes permissions to injec...

6.1CVSS5.5AI score0.00261EPSS
CVE
CVE
added 2026/02/03 6:7 p.m.17 views

CVE-2026-25488

Craft Commerce (Craft CMS) has a stored XSS in the Tax Categories (Name & Description) fields under Store Management, affecting versions 4.0.0-RC1–4.10.0 and 5.0.0–5.5.1. Unescaped input displayed in the admin panel can execute arbitrary JavaScript in an administrator’s browser, with potential pr...

6.1CVSS5.4AI score0.00261EPSS
CVE
CVE
added 2026/03/11 5:52 p.m.16 views

CVE-2026-31867

Craft Commerce (Craft CMS) Before versions 4.11.0 and 5.6.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the cart loading/modification flow. The CartController accepts a user-supplied 32-character cart number and loads a cart without ownership validation, allowing an attack...

6.3CVSS5.8AI score0.00284EPSS
CVE
CVE
added 2026/02/03 6:6 p.m.14 views

CVE-2026-25484

CVE-2026-25484 affects Craft Commerce (Craft CMS) with Stored XSS in Product Type names. Versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allow unsanitized input in Commerce Product Type settings to be displayed in the CMS user permissions interface, enabling stored cross-site scripting....

4.8CVSS5.2AI score0.00261EPSS
CVE
CVE
added 2026/02/03 6:5 p.m.13 views

CVE-2026-25482

Craft Commerce (Craft CMS) is affected by a stored DOM XSS in the Recent Orders dashboard widget. Versions 4.0.0-RC1–4.10.0 and 5.0.0–5.5.1 render the Order Status Name via JavaScript string concatenation without proper escaping, enabling script execution when an admin visits the dashboard. This ...

6.2CVSS5.5AI score0.00304EPSS
CVE
CVE
added 2026/03/10 7:52 p.m.13 views

CVE-2026-29172

Craft Commerce (Craft CMS) is affected by a SQL Injection in the purchasables table sorting. Prior to versions 4.10.2 and 5.5.3, the sort parameter is split by | and the first part (column name) is used directly as an array key in orderBy() without whitelist validation, allowing an authenticated ...

8.8CVSS5.9AI score0.00421EPSS
CVE
CVE
added 2026/03/10 8:1 p.m.13 views

CVE-2026-29177

Summary of vulnerability (CVE-2026-29177) : Craft Commerce for Craft CMS has a stored XSS flaw in the Order Details slideout. User-supplied input in fields such as the Shipping Method Name, Order Reference, or Site Name can inject JavaScript that executes when a user opens the order details via d...

5.4CVSS5.8AI score0.00211EPSS
CVE
CVE
added 2026/03/10 7:54 p.m.12 views

CVE-2026-29173

Craft Commerce (for Craft CMS) has a stored XSS vulnerability that affects the Order Status name field when updating the status from the Commerce Orders Table. The issue occurs prior to versions 4.10.2 and 5.5.3, where the Status Name is rendered without proper escaping, enabling script execution...

4.8CVSS5.9AI score0.00318EPSS
CVE
CVE
added 2026/03/10 7:57 p.m.10 views

CVE-2026-29175

CVE-2026-29175 affects Craft Commerce (Craft CMS). Prior to version 5.5.3, stored XSS exists on the Commerce Inventory page where Product Title, Variant Title, and Variant SKU are rendered without HTML escaping. An attacker could cause arbitrary JavaScript to run when any user (including admins) ...

8.6CVSS6AI score0.00204EPSS
CVE
CVE
added 2026/03/10 7:59 p.m.10 views

CVE-2026-29176

CVE-2026-29176 affects Craft Commerce (Craft CMS). A stored XSS exists in the Commerce Settings – Inventory Locations page where the Name field is not properly HTML-escaped. The vulnerability is triggered when an administrator (or a user with product-editing permissions) creates or edits a varian...

4.8CVSS6AI score0.00234EPSS