craftcms/commerce
Packagist12 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting craftcms/commercepage 1 of 1
- CVE-2026-25482MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.5.22026-02-03
vulnerable: 5.0.0 ... 5.5.1 (86 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaS…
- CVE-2026-25483MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.5.22026-02-03
vulnerable: 5.0.0 ... 5.5.1 (86 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |m…
- CVE-2026-25484MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.5.22026-02-03
vulnerable: 5.0.0 ... 5.5.1 (86 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The v…
- CVE-2026-25486MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.5.22026-02-03
vulnerable: 5.0.0 ... 5.5.1 (86 versions)
Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Ship…
- CVE-2026-25487MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.5.22026-02-03
vulnerable: 5.0.0 ... 5.5.1 (86 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browse…
- CVE-2026-25488MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.5.22026-02-03
vulnerable: 5.0.0 ... 5.5.1 (86 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s brow…
- CVE-2026-25489MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.5.22026-02-03
vulnerable: 5.0.0 ... 5.5.1 (86 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s brow…
- CVE-2026-25490MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.5.22026-02-03
vulnerable: 5.0.0 ... 5.5.1 (86 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s brow…
- CVE-2026-25522MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.5.22026-02-03
vulnerable: 5.0.0 ... 5.5.1 (86 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s brow…
- CVE-2026-32270LOWCVSS 1.7EG 1.7✓ Fixed in 4.11.02026-04-13
vulnerable: 4.0.0 ... 4.9.4 (70 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the …
- CVE-2026-32271HIGHCVSS 7.7EG 7.7✓ Fixed in 5.5.52026-04-13
vulnerable: 5.0.0 ... 5.5.4 (89 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user …
- CVE-2026-32272HIGHCVSS 8.7EG 8.7✓ Fixed in 5.6.02026-04-13
vulnerable: 5.0.0 ... 5.5.4 (89 versions)
Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklis…
Check whether craftcms/commerce is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for craftcms/commerce CVEs against the assets you own.
Start Free Scan →