Security: craftcms/commerce
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous paymentsGHSA-3vxg-x5f8-f5qf published
Apr 13, 2026 by angrybradLow -
SQL Injection can lead to Remote Code Execution via TotalRevenue WidgetGHSA-875v-7m49-8x88 published
Apr 13, 2026 by angrybradHigh -
Commerce hasVariant/hasProduct Blind SQL InjectionGHSA-r54v-qq87-px5r published
Apr 13, 2026 by angrybradHigh -
Potential IDOR in Commerce cartsGHSA-vff3-pqq8-4cpq published
Mar 9, 2026 by angrybradModerate -
Stored XSS in Craft Commerce Order Details SlideoutGHSA-mj32-r678-7mvp published
Mar 9, 2026 by angrybradLow -
Stored XSS while updating Order Status from Orders TableGHSA-mqxf-2998-c6cp published
Mar 9, 2026 by angrybradLow -
SQL Injection in Commerce Purchasables Table SortingGHSA-j3x5-mghf-xvfw published
Mar 9, 2026 by angrybradHigh -
SQL Injection in Commerce Inventory Table SortingGHSA-pmgj-gmm4-jh6j published
Mar 9, 2026 by angrybradHigh -
Stored XSS in Inventory Location NameGHSA-wj89-2385-gpx3 published
Mar 9, 2026 by angrybradModerate -
Multiple Stored XSS in Commerce Inventory Page Leading to Session HijackingGHSA-cfpv-rmpf-f624 published
Mar 9, 2026 by angrybradHigh