Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.
Published: 2026-03-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

Craft Commerce, an ecommerce plugin for Craft CMS, is vulnerable in versions before 4.10.2 and 5.5.3 to SQL injection through the purchasables table endpoint. The sort parameter is parsed by splitting on a pipe, and the first token—intended as the column name—is inserted directly as an array key into orderBy() without any whitelist validation. Because Yii 2’s query builder does not escape array keys, an authenticated user can inject arbitrary SQL into the ORDER BY clause, enabling them to manipulate query results or extract sensitive data.

Affected Systems

The affected systems are installations of the Craft Commerce plugin for Craft CMS running any pre‑4.10.2 or pre‑5.5.3 release. All versions that rely on the unpatched purchasables endpoint are exposed, regardless of site size or configuration, as long as the endpoint remains accessible to authenticated users.

Risk and Exploitability

This flaw carries a CVSS score of 8.7, indicating high severity, but its EPSS is reported as less than 1 %, and it is not included in the CISA KEV catalog. The bug can be exploited via the normal web interface and requires only valid credentials, so the attack vector is usually remote over HTTP. Although the theoretical impact is significant—potential data leakage or manipulation—the current low exploitation probability and lack of public exploitation data suggest the risk is moderate, yet still warrants timely patching.

Generated by OpenCVE AI on April 16, 2026 at 09:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch: upgrade Craft Commerce to version 4.10.2 or later, or 5.5.3 or later, as these releases fix the SQL injection flaw.
  • Verify that no privileged or administrative scripts expose the purchasables endpoint to unauthenticated users or users with insufficient permissions.
  • Implement strict input validation or a whitelist for the sort parameter so that only allowed column names can be used in ORDER BY clauses, mitigating similar injection vectors in the future.

Generated by OpenCVE AI on April 16, 2026 at 09:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j3x5-mghf-xvfw Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
History

Wed, 11 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.
Title Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:12:53.450Z

Reserved: 2026-03-04T14:44:00.712Z

Link: CVE-2026-29172

cve-icon Vulnrichment

Updated: 2026-03-11T14:12:40.847Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:38.230

Modified: 2026-03-11T16:54:15.053

Link: CVE-2026-29172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses