Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Network-delivered stored XSS requires a low-privilege authenticated account (PR:L) and victim page view (UI:R); scope changes to browser context (S:C) with limited C/I impact and no availability effect.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Commerce Core allows Stored XSS. This issue affects Commerce Core versions: from 3.3.0 to 3.3.6.
AnalysisAI
Stored cross-site scripting in Drupal Commerce Core 3.3.0 through 3.3.5 allows an authenticated low-privilege attacker to inject persistent malicious scripts that execute in other users' browsers when affected pages are viewed. The scope change (S:C in the CVSS vector) confirms the payload breaks out of the application's security context into the victim's browser environment, enabling session hijacking or unauthorized UI manipulation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Drupal user account with at minimum low-level privileges (PR:L per CVSS vector) - such as a registered customer or contributor role - capable of submitting input to a Commerce Core form field that is stored and later rendered without output encoding. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.4 Medium score reflects a realistic but bounded threat: PR:L requires an authenticated session (a registered customer or low-privilege contributor), and UI:R demands that a second user - potentially an administrator - must view the poisoned page before the payload fires. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a low-privilege Drupal customer account on a Commerce-enabled site and submits a crafted JavaScript payload (e.g., a cookie-stealing script) into a Commerce Core input field such as a product review, order note, or custom field. The payload is stored in the database and later rendered unescaped when a site administrator reviews orders or manages content in the Drupal backend, causing the script to execute in the administrator's browser and exfiltrating their session cookie to an attacker-controlled endpoint. … |
| Remediation | Upgrade Drupal Commerce Core to version 3.3.6 or later, which is the vendor-confirmed fixed release per the EUVD affected range (Commerce Core 3.3.0 < 3.3.6). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43115
GHSA-rq79-xhrq-f62x