CVE-2026-29172HIGH 8.8EPSS p33.6%

CVE-2026-29172CVE-2026-29172

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.42% probability of exploitation · percentile 33.6% · 2026-06-19T12:03:05Z
Published2026-03-10
Last modified2026-03-11

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
  2. https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
  3. https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
  4. https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-29174
CVE
CVE-2026-25495
CVE
CVE-2026-31858
CVE
CVE-2026-8978
CVE
CVE-2026-31920
CVE
CVE-2026-34018
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.