CVE-2026-29176 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 that affects Craft Commerce, an ecommerce platform built on Craft CMS. The vulnerability exists in the Commerce Settings - Inventory Locations page, specifically in the handling of the Name field. Prior to version 5.5.3, this field is rendered without proper HTML escaping, which allows an attacker to inject malicious JavaScript code. When an administrator or a user with product editing permissions creates or edits a variant product, the injected script executes in their browser context. This can lead to unauthorized actions such as session hijacking, privilege escalation, or manipulation of the CMS interface. The vulnerability requires the attacker to have authenticated access with elevated permissions and some user interaction to trigger the payload. The CVSS 4.0 vector indicates the attack is network exploitable (AV:N), requires low attack complexity (AC:L), no privileges (PR:H means high privileges required), user interaction (UI:P), and has limited scope and impact confined to the component. The vulnerability affects Craft Commerce versions from 4.0.0 up to but not including 4.10.2, and from 5.0.0 up to but not including 5.5.3. The issue was publicly disclosed on March 10, 2026, and no known exploits have been reported in the wild. The vendor fixed the vulnerability in version 5.5.3 by implementing proper HTML escaping on the affected input fields.

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript code within the browser of an authenticated user with product editing permissions. This can lead to session hijacking, unauthorized actions within the CMS, theft of sensitive data, or manipulation of ecommerce product information. While the vulnerability requires elevated privileges and user interaction, it can still be leveraged by malicious insiders or attackers who have compromised lower-level accounts. Organizations relying on Craft Commerce for their ecommerce operations may face risks to data integrity and confidentiality, potentially affecting customer trust and business operations. The scope is limited to users with editing rights, reducing the risk to general users or customers. However, successful exploitation could facilitate further attacks or unauthorized changes to product inventory and pricing. Given the medium CVSS score and the requirement for authentication, the overall risk is moderate but should not be underestimated in environments with multiple administrators or editors.

Organizations should upgrade Craft Commerce to version 5.5.3 or later, where the vulnerability is patched with proper HTML escaping. Until an upgrade is possible, administrators should restrict product editing permissions to trusted users only and monitor for suspicious activity on the Inventory Locations page. Implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing user permissions and employing multi-factor authentication (MFA) for administrative accounts can reduce the risk of compromised credentials being used to exploit this vulnerability. Additionally, security teams should review logs for unusual behavior around variant product edits and consider deploying web application firewalls (WAFs) with rules targeting XSS payloads. Educating administrators about the risk of executing untrusted input and encouraging cautious handling of product data can further reduce exploitation chances.