Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.7

Craft Commerce: SQL Injection in Purchasables Table Endpoint

GHSA-j3x5-mghf-xvfw CVE-2026-29172 GHSA-j3x5-mghf-xvfw
Summary

An attacker with access to your e-commerce platform can manipulate data by injecting malicious SQL code. This allows them to potentially view or alter sensitive information. To protect your site, update to Craft Commerce version 4.10.2 or 5.5.3 or later.

What to do
  • Update craftcms commerce to version 4.10.2.
  • Update craftcms commerce to version 5.5.3.
  • Update craftcms craftcms/commerce to version 4.10.2.
  • Update craftcms craftcms/commerce to version 5.5.3.
Affected software
VendorProductAffected versionsFix available
craftcms craft_commerce > 4.0.0 , <= 4.10.2
craftcms craft_commerce > 5.0.0 , <= 5.5.3
craftcms commerce > 4.0.0 , <= 4.10.1 4.10.2
craftcms commerce > 5.0.0 , <= 5.5.2 5.5.3
craftcms craftcms/commerce > 4.0.0 , <= 4.10.2 4.10.2
craftcms craftcms/commerce > 5.0.0 , <= 5.5.3 5.5.3
Original title
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | ...
Original description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.
ghsa CVSS4.0 8.7
Vulnerability type
CWE-89 SQL Injection
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026