CVE-2026-29176 MEDIUM

CVE-2026-29176: Craft Commerce has Stored XSS in Inventory Location Name

Vendor Craftcms

Product commerce

Weakness CWE-79 · XSS

Published March 10, 2026

Last update March 10, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3.

Key dates

02Disclosure timeline

March 10, 2026 CVE published

March 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-29176 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2026-29176

CWE CWE-79

CVSS 4.8 / MEDIUM

Affected versions

Vendor Craftcms

Product commerce

Affected >= 4.0.0 < 4.10.2

Vendor Craftcms

Product commerce

Affected >= 5.0.0 < 5.5.3

CVE-2026-29176: Craft Commerce has Stored XSS in Inventory Location Name

01Description

02Disclosure timeline

03References

04Related CVE