craftcms/commerce Security Advisories for 5.5.2 (7)
-
[MEDIUM] Craft Commerce: Potential IDOR in Commerce carts
PKSA-c2xz-ckr6-6mky CVE-2026-31867 GHSA-vff3-pqq8-4cpq
Affected version: >=4.0.0,<4.11.0|>=5.0.0,<5.6.0
Reported by:
GitHub -
[LOW] Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
PKSA-q6pp-5z96-2bd2 CVE-2026-29177 GHSA-mj32-r678-7mvp
Affected version: >=5.0.0,<=5.5.2|>=4.0.0,<=4.10.1
Reported by:
GitHub -
[MEDIUM] Craft Commerce has stored XSS in Inventory Location Name
PKSA-9385-f9kj-gpgr CVE-2026-29176 GHSA-wj89-2385-gpx3
Affected version: >=5.0.0,<=5.5.2
Reported by:
GitHub -
[HIGH] Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
PKSA-c2f2-bw98-42sz CVE-2026-29175 GHSA-cfpv-rmpf-f624
Affected version: >=5.0.0,<=5.5.2
Reported by:
GitHub -
[HIGH] Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
PKSA-5vsf-cyf4-k2zs CVE-2026-29174 GHSA-pmgj-gmm4-jh6j
Affected version: >=5.0.0,<=5.5.2
Reported by:
GitHub -
[LOW] Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
PKSA-7wm1-vvyh-k91c CVE-2026-29173 GHSA-mqxf-2998-c6cp
Affected version: >=5.0.0,<=5.5.2|>=4.0.0,<=4.10.1
Reported by:
GitHub -
[HIGH] Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
PKSA-hf29-t8gq-x1bd CVE-2026-29172 GHSA-j3x5-mghf-xvfw
Affected version: >=5.0.0,<=5.5.2|>=4.0.0,<=4.10.1
Reported by:
GitHub