Skip to main content

Commerce Core

1 CVEs product

Monthly

CVE-2026-10769 PHP MEDIUM PATCH This Month

Stored cross-site scripting in Drupal Commerce Core 3.3.0 through 3.3.5 allows an authenticated low-privilege attacker to inject persistent malicious scripts that execute in other users' browsers when affected pages are viewed. The scope change (S:C in the CVSS vector) confirms the payload breaks out of the application's security context into the victim's browser environment, enabling session hijacking or unauthorized UI manipulation. No active exploitation or public exploit code has been identified; EPSS of 0.16% (6th percentile) reflects low real-world exploitation probability at time of analysis.

XSS Commerce Core
NVD
CVSS 3.1
5.4
EPSS
0.2%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Drupal Commerce Core 3.3.0 through 3.3.5 allows an authenticated low-privilege attacker to inject persistent malicious scripts that execute in other users' browsers when affected pages are viewed. The scope change (S:C in the CVSS vector) confirms the payload breaks out of the application's security context into the victim's browser environment, enabling session hijacking or unauthorized UI manipulation. No active exploitation or public exploit code has been identified; EPSS of 0.16% (6th percentile) reflects low real-world exploitation probability at time of analysis.

XSS Commerce Core
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy