{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29172", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.712Z", "datePublished": "2026-03-10T19:52:32.735Z", "dateUpdated": "2026-03-11T14:12:53.450Z"}, "containers": {"cna": {"title": "Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw"}, {"name": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276"}, {"name": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1"}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"version": ">= 4.0.0 < 4.10.2", "status": "affected"}, {"version": ">= 5.0.0 < 5.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:52:32.735Z"}, "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3."}], "source": {"advisory": "GHSA-j3x5-mghf-xvfw", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:12:47.816068Z", "id": "CVE-2026-29172", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:12:53.450Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29172", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T14:12:47.816068Z"}}}], "references": [{"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:12:40.847Z"}}], "cna": {"title": "Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting", "source": {"advisory": "GHSA-j3x5-mghf-xvfw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"status": "affected", "version": ">= 4.0.0 < 4.10.2"}, {"status": "affected", "version": ">= 5.0.0 < 5.5.3"}]}], "references": [{"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "name": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276", "name": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1", "name": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:52:32.735Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29172", "state": "PUBLISHED", "dateUpdated": "2026-03-11T14:12:53.450Z", "dateReserved": "2026-03-04T14:44:00.712Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T19:52:32.735Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "21ABE060-9AA9-4E13-A387-89028A7D990F", "versionEndExcluding": "4.10.2", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "2690BD5E-2A88-4CDC-AAD6-DD02B96E1A46", "versionEndExcluding": "5.5.3", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3."}, {"lang": "es", "value": "Craft Commerce es una plataforma de comercio electr\u00f3nico para Craft CMS. Antes de las versiones 4.10.2 y 5.5.3, Craft Commerce es vulnerable a inyecciones SQL en el punto final de la tabla de productos adquiribles. El par\u00e1metro de ordenaci\u00f3n se divide mediante | y la primera parte (nombre de columna) se pasa directamente como clave de matriz a orderBy() sin validaci\u00f3n de lista blanca. El generador de consultas de Yii2 NO escapa las claves de matriz, lo que permite a un atacante autenticado inyectar SQL arbitrario en la cl\u00e1usula ORDER BY. Esta vulnerabilidad se ha corregido en las versiones 4.10.2 y 5.5.3."}], "id": "CVE-2026-29172", "lastModified": "2026-03-11T16:54:15.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T20:16:38.230", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.10.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.5.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "commerce", "source": "cna", "vendor": "craftcms"}, "product": "commerce", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-16T09:32:17.777732+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch: upgrade Craft Commerce to version 4.10.2 or later, or 5.5.3 or later, as these releases fix the SQL injection flaw.", "Verify that no privileged or administrative scripts expose the purchasables endpoint to unauthenticated users or users with insufficient permissions.", "Implement strict input validation or a whitelist for the sort parameter so that only allowed column names can be used in ORDER\u202fBY clauses, mitigating similar injection vectors in the future."], "summary": {"action": "Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected systems are installations of the Craft Commerce plugin for Craft CMS running any pre\u20114.10.2 or pre\u20115.5.3 release. All versions that rely on the unpatched purchasables endpoint are exposed, regardless of site size or configuration, as long as the endpoint remains accessible to authenticated users.", "description_and_impact": "Craft Commerce, an ecommerce plugin for Craft CMS, is vulnerable in versions before 4.10.2 and 5.5.3 to SQL injection through the purchasables table endpoint. The sort parameter is parsed by splitting on a pipe, and the first token\u2014intended as the column name\u2014is inserted directly as an array key into orderBy() without any whitelist validation. Because Yii\u202f2\u2019s query builder does not escape array keys, an authenticated user can inject arbitrary SQL into the ORDER\u202fBY clause, enabling them to manipulate query results or extract sensitive data.", "risk_and_exploitability": "This flaw carries a CVSS score of 8.7, indicating high severity, but its EPSS is reported as less than 1\u202f%, and it is not included in the CISA KEV catalog. The bug can be exploited via the normal web interface and requires only valid credentials, so the attack vector is usually remote over HTTP. Although the theoretical impact is significant\u2014potential data leakage or manipulation\u2014the current low exploitation probability and lack of public exploitation data suggest the risk is moderate, yet still warrants timely patching."}}}}, "created": "2026-03-11T11:43:16.679197+00:00", "updated": "2026-04-16T09:45:31.666821+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$commerce"]}