Skip to main content

Drupal Commerce Core CVE-2026-10769

| EUVDEUVD-2026-43115 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 drupal GHSA-rq79-xhrq-f62x
5.4
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-delivered stored XSS requires a low-privilege authenticated account (PR:L) and victim page view (UI:R); scope changes to browser context (S:C) with limited C/I impact and no availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 14, 2026 - 17:31 vuln.today
CVSS changed
Jul 14, 2026 - 15:22 NVD
5.4 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:41 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Commerce Core allows Stored XSS. This issue affects Commerce Core versions: from 3.3.0 to 3.3.6.

AnalysisAI

Stored cross-site scripting in Drupal Commerce Core 3.3.0 through 3.3.5 allows an authenticated low-privilege attacker to inject persistent malicious scripts that execute in other users' browsers when affected pages are viewed. The scope change (S:C in the CVSS vector) confirms the payload breaks out of the application's security context into the victim's browser environment, enabling session hijacking or unauthorized UI manipulation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Submit XSS payload in Commerce Core form field
Exploit
Payload persisted to Drupal database
Execution
Admin browses affected Commerce page
Persist
Malicious script executes in admin browser
Impact
Session token or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Drupal user account with at minimum low-level privileges (PR:L per CVSS vector) - such as a registered customer or contributor role - capable of submitting input to a Commerce Core form field that is stored and later rendered without output encoding. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.4 Medium score reflects a realistic but bounded threat: PR:L requires an authenticated session (a registered customer or low-privilege contributor), and UI:R demands that a second user - potentially an administrator - must view the poisoned page before the payload fires. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privilege Drupal customer account on a Commerce-enabled site and submits a crafted JavaScript payload (e.g., a cookie-stealing script) into a Commerce Core input field such as a product review, order note, or custom field. The payload is stored in the database and later rendered unescaped when a site administrator reviews orders or manages content in the Drupal backend, causing the script to execute in the administrator's browser and exfiltrating their session cookie to an attacker-controlled endpoint. …
Remediation Upgrade Drupal Commerce Core to version 3.3.6 or later, which is the vendor-confirmed fixed release per the EUVD affected range (Commerce Core 3.3.0 < 3.3.6). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10769 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy