CVE-2026-29173: Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur.
References
- github.com/advisories/GHSA-mqxf-2998-c6cp
- github.com/craftcms/commerce
- github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa
- github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
- github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp
- nvd.nist.gov/vuln/detail/CVE-2026-29173
Code Behaviors & Features
Detect and mitigate CVE-2026-29173 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →