CVE-2026-10769
Published: 6/3/2026Modified: 6/3/2026
Also known as:DRUPAL-CONTRIB-2026-041
Description
The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS). This vulnerability is mitigated by the fact that it only affects installations with Checkout (`commerce_checkout`) enabled, and the "Comments" checkout pane (id: `customer_comments`) is explicitly used, which is disabled by default.
Affected packages (1)
- Packagist/drupal/commerce>= 3.3.0, < 3.3.6