GHSA-mqxf-2998-c6cp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mqxf-2998-c6cp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mqxf-2998-c6cp/GHSA-mqxf-2998-c6cp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mqxf-2998-c6cp
- Aliases
- Published
- 2026-03-10T18:23:17Z
- Modified
- 2026-03-13T04:22:43.729103Z
- Severity
-
- 1.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
- Details
-
Summary
A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur.
Proof of Concept
Required Permissions
- Admin access (to edit/create Order Statuses)
Steps to Reproduce
- Log in with an admin account
- Navigate to Commerce → Settings → Order Statuses
- Create a new order status
- Set the Name field to:
<img src=x onerror="alert('Order Statuses XSS')"> - Save the order status
- Go to Commerce → Orders (make sure you placed any orders)
- From the left panel, select any Order Status (e.g., New)
- Select any order from the orders table → Click on the Gear Icon → then click "Update Order Status..."
- Notice the XSS execution
- Database specific
{ "nvd_published_at": "2026-03-10T20:16:38Z", "github_reviewed_at": "2026-03-10T18:23:17Z", "cwe_ids": [ "CWE-79" ], "severity": "LOW", "github_reviewed": true }- References
-
- https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp
- https://nvd.nist.gov/vuln/detail/CVE-2026-29173
- https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
- https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
- https://github.com/craftcms/commerce
Affected packages
Packagist / craftcms/commerce
Package
- Name
- craftcms/commerce
- Purl
- pkg:composer/craftcms/commerce
Affected versions
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.6
4.2.7
4.2.8
4.2.9
4.2.10
4.2.11
4.3.0
4.3.1
4.3.2
4.3.3
4.4.0
4.4.1
4.4.1.1
4.5.0
4.5.1
4.5.1.1
4.5.2
4.5.3
4.5.4
4.6.0
4.6.1
4.6.2
4.6.3.1
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.6.9
4.6.10
4.6.11
4.6.12
4.6.13
4.6.14
4.7.0
4.7.1
4.7.2
4.7.3
4.8.0
4.8.0.1
4.8.1
4.8.1.1
4.8.1.2
4.8.2
4.8.3
4.8.4
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.10.0
4.10.1
Packagist / craftcms/commerce
Package
- Name
- craftcms/commerce
- Purl
- pkg:composer/craftcms/commerce
Affected versions
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.10.1
5.0.11
5.0.11.1
5.0.12
5.0.12.1
5.0.12.2
5.0.13
5.0.14
5.0.15
5.0.16
5.0.16.1
5.0.16.2
5.0.17
5.0.18
5.0.19
5.1.0-beta.1
5.1.0-beta.2
5.1.0-beta.3
5.1.0
5.1.0.1
5.1.1
5.1.2
5.1.3
5.1.4
5.2.0
5.2.1
5.2.2
5.2.2.1
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.9.1
5.2.10
5.2.11
5.2.12
5.2.12.1
5.3.0
5.3.0.1
5.3.0.2
5.3.1
5.3.2
5.3.2.1
5.3.2.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.4.0
5.4.1
5.4.1.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.5.1
5.4.6
5.4.7
5.4.7.1
5.4.8
5.4.9
5.4.10
5.5.0
5.5.0.1
5.5.1
5.5.2