Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.
Published: 2026-03-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch Now
AI Analysis

Impact

Craft Commerce is vulnerable to a SQL injection flaw in the inventory levels data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization, allowing an authenticated attacker to inject arbitrary SQL statements. This can lead to the exfiltration of or modification of the entire database, as the attacker can execute any query supported by the underlying database engine.

Affected Systems

The flaw affects all installations of Craft Commerce running any version prior to 5.5.3. The affected component is the Commerce Inventory section of the Craft CMS platform, offered by the vendor brand name craftcms:commerce.

Risk and Exploitability

The vulnerability carries a high CVSS score of 8.7 and an EPSS score below 1%, indicating that while exploitation is technically possible for an attacker with the required privileges, the overall probability of real-world exploitation is low. The flaw is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but it remains a serious threat because it permits a full database compromise once authenticated. The attack path requires the attacker to be logged in to the Craft CMS backend with sufficient permission to view the Commerce Inventory section. Once those conditions are met, the attacker can exploit the unvalidated sort parameters to inject and execute arbitrary SQL.

Generated by OpenCVE AI on April 16, 2026 at 09:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 5.5.3 update or later to patch the SQL injection vulnerability
  • Restrict access to the Commerce Inventory section so that only trusted administrators can log in
  • If the update cannot be applied immediately, consider temporarily disabling the inventory data endpoint or implementing input validation for sort[0][direction] and sort[0][sortField] to reject non‑alphanumeric characters until patches are applied

Generated by OpenCVE AI on April 16, 2026 at 09:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pmgj-gmm4-jh6j Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
History

Wed, 11 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 10 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.
Title Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T20:12:39.918Z

Reserved: 2026-03-04T14:44:00.713Z

Link: CVE-2026-29174

cve-icon Vulnrichment

Updated: 2026-03-10T20:11:48.646Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:38.550

Modified: 2026-03-11T16:55:03.400

Link: CVE-2026-29174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses