GHSA-mj32-r678-7mvp

Source

https://github.com/advisories/GHSA-mj32-r678-7mvp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mj32-r678-7mvp/GHSA-mj32-r678-7mvp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mj32-r678-7mvp

Aliases

CVE-2026-29177

Published

2026-03-10T18:24:18Z

Modified

2026-03-13T04:22:14.771080Z

Severity

1.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Craft Commerce has stored XSS in Craft Commerce Order Details Slideout

Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes.

Reproduction Steps

Navigate to Commerce -> Store Management -> Shipping Methods.
Click "New Shipping Method".
In the Name field, enter the following XSS payload:
```
<img src=x onerror=alert('XSS_Shipping')>
```
Save the Shipping Method.
Place a new order or edit an existing order.
Set the order's Shipping Method to the one created in the previous steps.
Navigate to the Orders index page (/admin/commerce/orders).
Double-click the target order to open the details slideout.
Result: The XSS payload executes.

Database specific

{
    "github_reviewed": true,
    "severity": "LOW",
    "github_reviewed_at": "2026-03-10T18:24:18Z",
    "nvd_published_at": "2026-03-10T20:16:39Z",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / craftcms/commerce

Package

Name: craftcms/commerce
Purl: pkg:composer/craftcms/commerce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.10.2

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.2.11

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.1.1

4.5.0

4.5.1

4.5.1.1

4.5.2

4.5.3

4.5.4

4.6.0

4.6.1

4.6.2

4.6.3.1

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.7.0

4.7.1

4.7.2

4.7.3

4.8.0

4.8.0.1

4.8.1

4.8.1.1

4.8.1.2

4.8.2

4.8.3

4.8.4

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.10.0

4.10.1

Database specific

last_known_affected_version_range

"<= 4.10.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mj32-r678-7mvp/GHSA-mj32-r678-7mvp.json"

Packagist / craftcms/commerce

Package

Name: craftcms/commerce
Purl: pkg:composer/craftcms/commerce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.5.3

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.10.1

5.0.11

5.0.11.1

5.0.12

5.0.12.1

5.0.12.2

5.0.13

5.0.14

5.0.15

5.0.16

5.0.16.1

5.0.16.2

5.0.17

5.0.18

5.0.19

5.1.0-beta.1

5.1.0-beta.2

5.1.0-beta.3

5.1.0

5.1.0.1

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.2

5.2.2.1

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.9.1

5.2.10

5.2.11

5.2.12

5.2.12.1

5.3.0

5.3.0.1

5.3.0.2

5.3.1

5.3.2

5.3.2.1

5.3.2.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.13

5.4.0

5.4.1

5.4.1.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.4.10

5.5.0

5.5.0.1

5.5.1

5.5.2

Database specific

last_known_affected_version_range

"<= 5.5.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mj32-r678-7mvp/GHSA-mj32-r678-7mvp.json"