CVE-2026-29177— Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout

Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Craft Commerce 跨站脚本漏洞

Craft Commerce是Craft CMS开源的一个电子商务平台。 Craft Commerce 4.10.2之前版本和5.5.3之前版本存在跨站脚本漏洞，该漏洞源于订单详情中Shipping Method Name、Order Reference或Site Name字段未正确过滤，可能导致存储型跨站脚本攻击。

N/A

N/A