CVE-2026-29175 Craft — Exploit & Vulnerability Details HIGH

CVE-2026-29175

HIGH CVSS 4.0: 8.6 EPSS 0.05%

Parameter	Value
CVSS	8.6 (HIGH)
Fixed In	5.5.3
Type	CWE-79 (Cross-Site Scripting (XSS))
Vendor	Craft
Public PoC	No

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page.

This vulnerability is fixed in 5.5.3.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

Low

Basic privileges needed

User Interaction

Passive

Minimal interaction

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

Low

Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 2

https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec98…

security-advisories@github.com

https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624

security-advisories@github.com

Share Post Share Share Share

Menu

CVE-2026-29175

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

CVE Details

Editor's Choice

Menu

CVE-2026-29175

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

CVE Details

Editor's Choice

Stay informed on cybersecurity