CVE-2026-10769

描述

The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS). This vulnerability is mitigated by the fact that it only affects installations with Checkout (`commerce_checkout`) enabled, and the "Comments" checkout pane (id: `customer_comments`) is explicitly used, which is disabled by default.

受影響套件(1)

• Packagist/drupal/commerce>= 3.3.0, < 3.3.6

參考連結(1)

• WEBhttps://www.drupal.org/sa-contrib-2026-041