CVE-2026-29174HIGH 8.8EPSS p34.7%

CVE-2026-29174CVE-2026-29174

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.44% probability of exploitation · percentile 34.7% · 2026-06-19T12:03:05Z
Published2026-03-10
Last modified2026-03-11

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7
  2. https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b
  3. https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-29172
CVE
CVE-2026-25495
CVE
CVE-2026-31858
CVE
CVE-2026-8978
CVE
CVE-2026-31920
CVE
Craft CMS Code Injection Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.