craftcms/commerce Security Advisories (21)
-
[MEDIUM] Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass
PKSA-8pd1-kqxv-12wq CVE-2026-55795 GHSA-h5gm-x9wr-vhcm
Affected version: >=4.0.0,<=4.11.1|>=5.0.0,<=5.6.4
Reported by:
GitHub -
[MEDIUM] Craft Commerce: Partial Payment Amount Without Lower Bound Validation
PKSA-3cyb-p9z9-9j9r GHSA-78vr-q6cf-c7p6
Affected version: >=4.0.0,<=4.11.1|>=5.0.0,<=5.6.4
Reported by:
GitHub -
[LOW] Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments
PKSA-tnb8-k5sw-yxmk CVE-2026-32270 GHSA-3vxg-x5f8-f5qf
Affected version: >=4.0.0,<=4.10.2|>=5.0.0,<=5.5.4
Reported by:
GitHub -
[HIGH] Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
PKSA-chpm-5f12-rdnt CVE-2026-32271 GHSA-875v-7m49-8x88
Affected version: >=5.0.0,<=5.5.4|>=4.0.0,<=4.10.2
Reported by:
GitHub -
[HIGH] Craft Commerce hasVariant/hasProduct Blind SQL Injection
PKSA-nhg1-858f-sgm2 CVE-2026-32272 GHSA-r54v-qq87-px5r
Affected version: >=5.0.0,<5.6.0
Reported by:
GitHub -
[MEDIUM] Craft Commerce: Potential IDOR in Commerce carts
PKSA-c2xz-ckr6-6mky CVE-2026-31867 GHSA-vff3-pqq8-4cpq
Affected version: >=4.0.0,<4.11.0|>=5.0.0,<5.6.0
Reported by:
GitHub -
[LOW] Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
PKSA-q6pp-5z96-2bd2 CVE-2026-29177 GHSA-mj32-r678-7mvp
Affected version: >=5.0.0,<=5.5.2|>=4.0.0,<=4.10.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has stored XSS in Inventory Location Name
PKSA-9385-f9kj-gpgr CVE-2026-29176 GHSA-wj89-2385-gpx3
Affected version: >=5.0.0,<=5.5.2
Reported by:
GitHub -
[HIGH] Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
PKSA-c2f2-bw98-42sz CVE-2026-29175 GHSA-cfpv-rmpf-f624
Affected version: >=5.0.0,<=5.5.2
Reported by:
GitHub -
[HIGH] Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
PKSA-5vsf-cyf4-k2zs CVE-2026-29174 GHSA-pmgj-gmm4-jh6j
Affected version: >=5.0.0,<=5.5.2
Reported by:
GitHub -
[LOW] Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
PKSA-7wm1-vvyh-k91c CVE-2026-29173 GHSA-mqxf-2998-c6cp
Affected version: >=5.0.0,<=5.5.2|>=4.0.0,<=4.10.1
Reported by:
GitHub -
[HIGH] Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
PKSA-hf29-t8gq-x1bd CVE-2026-29172 GHSA-j3x5-mghf-xvfw
Affected version: >=5.0.0,<=5.5.2|>=4.0.0,<=4.10.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
PKSA-y1rc-ctkn-mgyg CVE-2026-25522 GHSA-h9r9-2pxg-cx9m
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
PKSA-nrcm-7whq-x868 CVE-2026-25490 GHSA-wq2m-r96q-crrf
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
PKSA-xfj6-h72k-yknr CVE-2026-25489 GHSA-v585-mf6r-rqrc
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
PKSA-gnb2-rr3g-hcdr CVE-2026-25488 GHSA-p6w8-q63m-72c8
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1
Reported by:
GitHub -
[MEDIUM] Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
PKSA-twkq-s65v-3zph CVE-2026-25487 GHSA-wqc5-485v-3hqh
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0-RC1,<=5.5.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation
PKSA-vyym-2rg1-mr68 CVE-2026-25486 GHSA-g92v-wpv7-6w22
Affected version: >=5.0.0-RC1,<=5.5.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has Stored XSS in Product Type Name
PKSA-tjsq-jr27-yxgb CVE-2026-25484 GHSA-2h2m-v2mg-656c
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0,<=5.5.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration
PKSA-6px2-ht8s-n19h CVE-2026-25483 GHSA-8478-rmjg-mjj5
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0,<=5.5.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
PKSA-m4r9-k8fn-t8bm CVE-2026-25482 GHSA-frj9-9rwc-pw9j
Affected version: >=4.0.0-RC1,<=4.10.0|>=5.0.0,<=5.5.1
Reported by:
GitHub