CVE-2026-29172 HIGH

CVE-2026-29172: Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting

Vendor Craftcms

Product commerce

Weakness CWE-89 · SQLi

Published March 10, 2026

Last update March 11, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.

Key dates

02Disclosure timeline

March 10, 2026 CVE published

March 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-29172

Related vulnerabilities

Identifiers

CVE CVE-2026-29172

CWE CWE-89

CVSS 8.7 / HIGH

Affected versions

Vendor Craftcms

Product commerce

Affected >= 4.0.0 < 4.10.2

Vendor Craftcms

Product commerce

Affected >= 5.0.0 < 5.5.3

CVE-2026-29172: Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting

01Description

02Disclosure timeline

03References

04Related CVE