CVE-2026-29177 Overview
Craft Commerce, the ecommerce platform for Craft CMS, contains a Stored Cross-Site Scripting (XSS) vulnerability in the Order details functionality. Prior to versions 4.10.2 and 5.5.3, malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name fields. When an authenticated user opens the order details slideout via a double-click on the order index page, the injected payload executes in the context of the user's browser session.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute when administrators view order details, potentially leading to session hijacking, administrative account compromise, or further attacks against the Craft CMS installation.
Affected Products
- Craft Commerce versions prior to 4.10.2 (4.x branch)
- Craft Commerce versions prior to 5.5.3 (5.x branch)
- craftcms craft_commerce (all unpatched installations)
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-29177 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-29177
Vulnerability Analysis
This Stored XSS vulnerability (CWE-79) exists within the Craft Commerce plugin's order management interface. The vulnerability stems from improper input validation and output encoding in the order details slideout panel. When order data containing the Shipping Method Name, Order Reference, or Site Name is rendered in the administrative interface, user-controlled input is not properly sanitized before being included in the HTML response.
The stored nature of this vulnerability means that malicious payloads persist in the database and execute each time an administrator views the affected order details. This creates a particularly dangerous scenario where a single injection can affect multiple administrative users over time.
Root Cause
The root cause is insufficient input sanitization and missing output encoding when rendering order-related fields in the administrative order details slideout. The application fails to properly escape special HTML characters when displaying the Shipping Method Name, Order Reference, and Site Name fields, allowing script tags and event handlers to be interpreted as executable code rather than plain text.
Attack Vector
The attack requires network access and low-privilege authentication to the Craft Commerce system. An attacker with the ability to modify order data (such as through a compromised account or during order creation) can inject malicious JavaScript code into vulnerable fields. The payload remains dormant until an administrator double-clicks an order on the index page to view its details, at which point the slideout panel renders the malicious content and executes the injected script.
The exploitation flow involves:
- An attacker injects malicious JavaScript into a Shipping Method Name, Order Reference, or Site Name field
- The payload is stored in the application database
- An administrator navigates to the order index page
- Upon double-clicking an order to view details, the slideout panel renders the stored payload
- The malicious script executes in the administrator's browser context
Detection Methods for CVE-2026-29177
Indicators of Compromise
- Unexpected JavaScript code or HTML tags in order-related database fields (Shipping Method Name, Order Reference, Site Name)
- Unusual script execution errors in browser console logs when viewing order details
- Reports of unexpected behavior or redirects when administrators access order management interfaces
- Audit log entries showing modifications to order fields with suspicious content patterns
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in order-related API requests
- Review database records for order fields containing script tags, event handlers (onclick, onerror, etc.), or JavaScript URIs
- Monitor server logs for POST requests to order endpoints containing encoded script payloads
- Deploy Content Security Policy (CSP) headers and monitor for CSP violation reports
Monitoring Recommendations
- Enable detailed logging for all order creation and modification operations
- Configure browser-based XSS auditing and CSP reporting endpoints
- Implement automated scanning of stored order data for common XSS patterns
- Monitor for unusual administrative session activity following order detail views
How to Mitigate CVE-2026-29177
Immediate Actions Required
- Upgrade Craft Commerce to version 4.10.2 or later (for 4.x installations)
- Upgrade Craft Commerce to version 5.5.3 or later (for 5.x installations)
- Audit existing order data for potentially malicious content in Shipping Method Name, Order Reference, and Site Name fields
- Review administrative session logs for signs of compromise
Patch Information
The vulnerability has been fixed in Craft Commerce versions 4.10.2 and 5.5.3. The patch implements proper output encoding for the affected fields when rendered in the order details slideout. Organizations should update to these versions immediately.
For detailed patch information, refer to the GitHub Commit Changes and the GitHub Security Advisory.
Workarounds
- Implement strict Content Security Policy (CSP) headers that disable inline script execution
- Restrict access to order management interfaces to trusted administrators only
- Manually sanitize suspicious order data in the database pending patch deployment
- Consider temporarily disabling the order details slideout functionality if patching is not immediately possible
# Configuration example
# Add to your web server configuration to implement CSP headers
# Apache (.htaccess or httpd.conf)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"
# Nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
