GHSA-wj89-2385-gpx3

Source

https://github.com/advisories/GHSA-wj89-2385-gpx3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wj89-2385-gpx3/GHSA-wj89-2385-gpx3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wj89-2385-gpx3

Aliases

CVE-2026-29176

Published

2026-03-10T18:23:58Z

Modified

2026-03-13T04:22:14.906826Z

Severity

4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Craft Commerce has stored XSS in Inventory Location Name

Details

Summary

A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript.

This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product.

Proof of Concept

Permissions Required

General
- Access the control panel
- Access Craft Commerce
Craft Commerce
- Manage inventory locations

Steps to Reproduce

Log in to the control panel
Navigate to Commerce → Inventory Locations
Create or edit a location
Set Name to the following payload:
```
<img src=x onerror="alert('XSS')">
```
Save the location
Navigate to Commerce → Products and click "New Product" and click "New product variant"
The Inventory Location table loads, rendering the Inventory Location Name
XSS executes

Impact

Potential Session Hijacking
Potential Database Exfiltration
Potential Account Takeover by forcing a password change on the victim’s account.
Potential Privilege escalation, or creating new admin users.

Mitigation

Sanitize the inventory location name field when rendering in the "Track Inventory" table.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2026-03-10T18:23:58Z",
    "nvd_published_at": "2026-03-10T20:16:38Z"
}

References

Affected packages

Packagist / craftcms/commerce

Package

Name: craftcms/commerce
Purl: pkg:composer/craftcms/commerce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.5.3

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.10.1

5.0.11

5.0.11.1

5.0.12

5.0.12.1

5.0.12.2

5.0.13

5.0.14

5.0.15

5.0.16

5.0.16.1

5.0.16.2

5.0.17

5.0.18

5.0.19

5.1.0-beta.1

5.1.0-beta.2

5.1.0-beta.3

5.1.0

5.1.0.1

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.2

5.2.2.1

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.9.1

5.2.10

5.2.11

5.2.12

5.2.12.1

5.3.0

5.3.0.1

5.3.0.2

5.3.1

5.3.2

5.3.2.1

5.3.2.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.13

5.4.0

5.4.1

5.4.1.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.4.10

5.5.0

5.5.0.1

5.5.1

5.5.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wj89-2385-gpx3/GHSA-wj89-2385-gpx3.json"

last_known_affected_version_range

"<= 5.5.2"