Craft Commerce has stored XSS in Inventory Location Name

Description

Summary

A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript.

This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product.

Proof of Concept

Permissions Required

  • General

    • Access the control panel
    • Access Craft Commerce
  • Craft Commerce

    • Manage inventory locations

Steps to Reproduce

  1. Log in to the control panel
  2. Navigate to Commerce → Inventory Locations
  3. Create or edit a location
  4. Set Name to the following payload:
    html <img src=x onerror="alert('XSS')">
  5. Save the location
  6. Navigate to Commerce → Products and click "New Product" and click "New product variant"
  7. The Inventory Location table loads, rendering the Inventory Location Name
  8. XSS executes

Impact

  • Potential Session Hijacking
  • Potential Database Exfiltration
  • Potential Account Takeover by forcing a password change on the victim’s account.
  • Potential Privilege escalation, or creating new admin users.

Mitigation

Sanitize the inventory location name field when rendering in the "Track Inventory" table.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-10 18:23:58 UTC
Updated
2026-03-10 22:55:35 UTC
GitHub reviewed
2026-03-10 18:23:58 UTC
NVD published
2026-03-10

EPSS Score

Score Percentile
0.01% 0.83%

CVSS Scores

Base score Version Severity Vector
4.8 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:A)
User interaction is required in an active way.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • mHe4am (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer craftcms/commerce >= 5.0.0, <= 5.5.2 5.5.3

References

cvelogic Threat Intelligence