CVE-2026-29172

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276	Patch
https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1	Patch
https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw	Exploit Vendor Advisory
https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*

History

11 Mar 2026, 16:54

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276 -~~	() https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276 - Patch
References	~~() https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1 -~~	() https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1 - Patch
References	~~() https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw -~~	() https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw - Exploit, Vendor Advisory
CPE		cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
First Time		Craftcms Craftcms craft Commerce

11 Mar 2026, 15:16

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw -~~	() https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw -

11 Mar 2026, 13:53

Type	Values Removed	Values Added
Summary		(es) Craft Commerce es una plataforma de comercio electrónico para Craft CMS. Antes de las versiones 4.10.2 y 5.5.3, Craft Commerce es vulnerable a inyecciones SQL en el punto final de la tabla de productos adquiribles. El parámetro de ordenación se divide mediante \| y la primera parte (nombre de columna) se pasa directamente como clave de matriz a orderBy() sin validación de lista blanca. El generador de consultas de Yii2 NO escapa las claves de matriz, lo que permite a un atacante autenticado inyectar SQL arbitrario en la cláusula ORDER BY. Esta vulnerabilidad se ha corregido en las versiones 4.10.2 y 5.5.3.

10 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 20:16

Updated : 2026-03-11 16:54

NVD link : CVE-2026-29172

Mitre link : CVE-2026-29172

CVE.ORG link : CVE-2026-29172

JSON object : View

Products Affected

craftcms

craft_commerce

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

8.8 /10