CVE-2026-29177: Craft Commerce has stored XSS in Craft Commerce Order Details Slideout

March 10, 2026

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes.

References

github.com/advisories/GHSA-mj32-r678-7mvp
github.com/craftcms/commerce
github.com/craftcms/commerce/commit/b0683e04773f16bba6af9df18aab495fc5dde68a
github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp
nvd.nist.gov/vuln/detail/CVE-2026-29177

Code Behaviors & Features

Detect and mitigate CVE-2026-29177 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →