CVE-2026-29176: Craft Commerce has stored XSS in Inventory Location Name

March 10, 2026

A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript.

This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product.

References

github.com/advisories/GHSA-wj89-2385-gpx3
github.com/craftcms/commerce
github.com/craftcms/commerce/commit/da143df084563ddf0929d7c261bcc11d312e8004
github.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3
nvd.nist.gov/vuln/detail/CVE-2026-29176

Code Behaviors & Features

Detect and mitigate CVE-2026-29176 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →