Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0.
Published: 2026-04-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a blind SQL injection in Craft Commerce versions 5.0.0 through 5.5.4. The ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the blocklist applied to ElementIndexesController, causing an unsanitized subquery to be executed. Any authenticated control‑panel user can send crafted boolean queries that return true or false, allowing extraction of arbitrary database content, including secret security keys that can be used to forge administrative sessions and gain elevated privileges.

Affected Systems

Affected systems include all installations of Craft Commerce by craftcms, specifically vendors "craftcms:commerce" running versions 5.0.0 to 5.5.4. The issue was remediated in the 5.6.0 release, which removes the unsanitized path and applies proper query sanitization. Users should verify that their environment is upgraded to at least version 5.6.0 to eliminate the vulnerability.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity, and the absence of an EPSS score suggests that public data about exploit usage is not yet available. The vulnerability is not listed in the CISA KEV catalog, implying no known public exploitation yet, but its exploitation requires only an authenticated control‑panel user. Because it permits extraction of sensitive database values and possible session forging, the risk is significant. Administrators should assume the likelihood of exploitation is real, especially if the environment contains a tainted or compromised CP access.

Generated by OpenCVE AI on April 13, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to version 5.6.0 or later, which removes the vulnerable query paths.
  • Confirm that the upgrade applied successfully by checking the deployed version number.
  • Review and tighten control‑panel access, ensuring only trusted administrators can log in.
  • Enable multi-factor authentication on the control‑panel to reduce the risk of credential compromise.
  • Patch any custom code or plugins that may interact with ProductQuery or VariantQuery to avoid legacy injection paths.

Generated by OpenCVE AI on April 13, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r54v-qq87-px5r Craft Commerce hasVariant/hasProduct Blind SQL Injection
History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Mon, 13 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0.
Title Craft Commerce: Blind SQL Injection via hasVariant/hasProduct
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T16:28:47.197Z

Reserved: 2026-03-11T15:05:48.400Z

Link: CVE-2026-32272

cve-icon Vulnrichment

Updated: 2026-04-14T15:28:54.549Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T21:16:24.410

Modified: 2026-04-17T15:26:57.017

Link: CVE-2026-32272

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:22Z

Weaknesses