DRUPAL-CONTRIB-2026-041

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/commerce/DRUPAL-CONTRIB-2026-041.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-041

Aliases

CVE-2026-10769

Published

2026-06-03T16:13:55Z

Modified

2026-06-03T19:45:06.717927858Z

Summary

[none]

Details

The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS).

This vulnerability is mitigated by the fact that it only affects installations with Checkout (commerce_checkout) enabled, and the "Comments" checkout pane (id: customer_comments) is explicitly used, which is disabled by default.

References

https://www.drupal.org/sa-contrib-2026-041

Credits

- Brian Willows (hsjbrianwillows)
- - https://www.drupal.org/u/hsjbrianwillows

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/commerce

Package

Name: drupal/commerce
Purl: pkg:composer/drupal%2Fcommerce

Affected ranges

Type

ECOSYSTEM

Events

Introduced

3.3.0

Fixed

3.3.6

Database specific

{
    "constraint": ">= 3.3.0 < 3.3.6"
}

Database specific

affected_versions

">= 3.3.0 < 3.3.6"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/commerce/DRUPAL-CONTRIB-2026-041.json"