GHSA-WJ89-2385-GPX3

Vulnerability from github – Published: 2026-03-10 18:23 – Updated: 2026-03-10 22:55
VLAI?
Summary
Craft Commerce has stored XSS in Inventory Location Name
Details

Summary

A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript.

This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product.

Proof of Concept

Permissions Required

  • General

    • Access the control panel
    • Access Craft Commerce

  • Craft Commerce

    • Manage inventory locations

Steps to Reproduce

  1. Log in to the control panel
  2. Navigate to Commerce → Inventory Locations
  3. Create or edit a location
  4. Set Name to the following payload: html <img src=x onerror="alert('XSS')">
  5. Save the location
  6. Navigate to Commerce → Products and click "New Product" and click "New product variant"
  7. The Inventory Location table loads, rendering the Inventory Location Name
  8. XSS executes

Impact

  • Potential Session Hijacking
  • Potential Database Exfiltration
  • Potential Account Takeover by forcing a password change on the victim’s account.
  • Potential Privilege escalation, or creating new admin users.

Mitigation

Sanitize the inventory location name field when rendering in the "Track Inventory" table.

Severity ?
4.8 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.5.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:23:58Z",
    "nvd_published_at": "2026-03-10T20:16:38Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nA stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The **Name** field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript.\n\nThis XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product.\n\n## Proof of Concept\n\n### Permissions Required\n- General\n    - Access the control panel\n    - Access Craft Commerce\n\n- Craft Commerce\n    - Manage inventory locations\n\n### Steps to Reproduce\n\n1. Log in to the control panel\n2. Navigate to **Commerce \u2192 Inventory Locations**\n3. Create or edit a location\n4. Set **Name** to the following payload:\n    ```html\n    \u003cimg src=x onerror=\"alert(\u0027XSS\u0027)\"\u003e\n    ```\n5. Save the location\n6. Navigate to **Commerce \u2192 Products** and click \"New Product\" and click \"New product variant\"\n7. The Inventory Location table loads, rendering the **Inventory Location Name**\n8. XSS executes\n\n## Impact\n- Potential Session Hijacking\n- Potential Database Exfiltration\n- Potential Account Takeover by forcing a password change on the victim\u2019s account.\n- Potential Privilege escalation, or creating new admin users.\n\n## Mitigation\nSanitize the inventory location name field when rendering in the \"Track Inventory\" table.",
  "id": "GHSA-wj89-2385-gpx3",
  "modified": "2026-03-10T22:55:31Z",
  "published": "2026-03-10T18:23:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29176"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/da143df084563ddf0929d7c261bcc11d312e8004"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/commerce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft Commerce has stored XSS in Inventory Location Name"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.