{"id":"CVE-2026-29177","summary":"Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout","details":"Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.","aliases":["GHSA-mj32-r678-7mvp"],"modified":"2026-04-10T05:42:28.063802Z","published":"2026-03-10T20:01:06.968Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29177.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29177.json"},{"type":"ADVISORY","url":"https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29177"},{"type":"FIX","url":"https://github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/commerce","events":[{"introduced":"03fe68b8a09d05b028c510411b55af6cea6a089a"},{"fixed":"1a8afefa20ab87fe52c1da5fe347d2549b0d358d"},{"introduced":"266ccfd800264c4a0a7c22447112c097b0af7bae"},{"fixed":"00debfb9b25ac0885cb0193dcb6ef4aba0c9e07e"},{"fixed":"b0683e04773f16bba6af9df18aab495fc5dde68a"}],"database_specific":{"versions":[{"introduced":"4.0.0"},{"fixed":"4.10.2"},{"introduced":"5.0.0"},{"fixed":"5.5.3"}]}}],"versions":["5.0.0","5.0.1","5.0.10","5.0.10.1","5.0.11","5.0.11.1","5.0.12","5.0.12.1","5.0.13","5.0.14","5.0.15","5.0.16","5.0.16.1","5.0.16.2","5.0.17","5.0.18","5.0.19","5.0.2","5.0.3","5.0.4","5.0.5","5.0.6","5.0.7","5.0.8","5.0.9","5.1.0","5.1.0.1","5.1.2","5.1.3","5.1.4","5.2.0","5.2.1","5.2.10","5.2.11","5.2.12","5.2.12.1","5.2.2","5.2.2.1","5.2.3","5.2.4","5.2.5","5.2.8","5.2.9","5.2.9.1","5.3.0","5.3.0.1","5.3.0.2","5.3.1","5.3.10","5.3.11","5.3.12","5.3.13","5.3.2","5.3.2.1","5.3.2.2","5.3.3","5.3.4","5.3.5","5.3.6","5.3.7","5.3.8","5.4.0","5.4.1","5.4.1.1","5.4.10","5.4.2","5.4.3","5.4.4","5.4.5","5.4.5.1","5.4.6","5.4.7","5.4.7.1","5.4.8","5.4.9","5.5.0","5.5.0.1","5.5.1","5.5.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29177.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}]}