CVE-2026-29175 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79 affecting Craft Commerce, an ecommerce platform integrated with Craft CMS. The vulnerability exists in versions 5.0.0 through 5.5.2 inclusive. Specifically, the issue arises on the Commerce Inventory page where user-controllable fields—Product Title, Variant Title, and Variant SKU—are rendered without proper HTML escaping. This improper neutralization of input during web page generation allows an attacker to inject arbitrary JavaScript code into these fields. When an authorized user, including administrators, views the inventory management page, the malicious script executes in their browser context. This can lead to session hijacking, unauthorized actions, or further exploitation within the affected environment. The vulnerability does not require authentication to inject the payload but does require that a user views the infected page, implying user interaction is necessary for exploitation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:P), and high impact on confidentiality and integrity (VC:H, VI:H). The vulnerability was publicly disclosed on March 10, 2026, and fixed in version 5.5.3 of Craft Commerce. No known exploits have been reported in the wild to date.

The impact of CVE-2026-29175 is significant for organizations using vulnerable versions of Craft Commerce. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of users viewing the inventory page, including administrators. This can lead to theft of session cookies, enabling account takeover, unauthorized changes to ecommerce data, or pivoting to other internal systems. The compromise of administrative accounts could result in manipulation of product listings, pricing, or inventory data, potentially causing financial loss and reputational damage. Additionally, attackers could use this vector to deploy further malware or conduct phishing attacks targeting internal users. Given the ecommerce context, the confidentiality and integrity of sensitive business data are at high risk. Although availability impact is low, the overall disruption to business operations and trust can be substantial. The vulnerability’s ease of exploitation combined with high impact on confidentiality and integrity justifies its high severity rating.

To mitigate CVE-2026-29175, organizations should immediately upgrade Craft Commerce to version 5.5.3 or later, where the vulnerability is patched by proper HTML escaping of user input fields. Until patching is possible, implement strict input validation and sanitization on all user-controllable fields related to product and variant information to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Limit administrative access to the inventory management page to trusted personnel and monitor logs for suspicious input patterns or unusual activity. Educate users, especially administrators, about the risks of clicking on unexpected links or viewing untrusted content within the platform. Regularly audit and review ecommerce platform configurations and user permissions to minimize attack surface. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.