Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.7

Craft Commerce Ecommerce Platform SQL Injection Risk

GHSA-pmgj-gmm4-jh6j CVE-2026-29174 GHSA-pmgj-gmm4-jh6j
Summary

If an attacker accesses the Commerce Inventory section, they may be able to inject malicious code into the database, potentially leading to a full database breach. This is a serious risk because it could allow an attacker to access sensitive data and disrupt business operations. To protect your site, update to Craft Commerce version 5.5.3 or later.

What to do
  • Update craftcms commerce to version 5.5.3.
  • Update craftcms craftcms/commerce to version 5.5.3.
Affected software
VendorProductAffected versionsFix available
craftcms craft_commerce > 5.0.0 , <= 5.5.3 –
craftcms commerce > 5.0.0 , <= 5.5.2 5.5.3
craftcms craftcms/commerce > 5.0.0 , <= 5.5.3 5.5.3
Original title
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][...
Original description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.
ghsa CVSS4.0 8.7
Vulnerability type
CWE-89 SQL Injection
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026