SQL Injection Vulnerability in Craft Commerce by Craft CMS
CVE-2026-29172

8.7HIGH

Key Information:

Vendor

Craftcms

Status
Commerce
Vendor
CVE Published:
10 March 2026

What is CVE-2026-29172?

Craft Commerce, an ecommerce platform built for Craft CMS, is susceptible to SQL Injection in the purchasables table endpoint prior to versions 4.10.2 and 5.5.3. The issue arises from the way the sort parameter is processed; it is split by | and the initial segment, intended as a column name, is not validated against a whitelist before being used in the orderBy() function. This lack of validation allows an authenticated attacker to exploit the vulnerability and inject arbitrary SQL commands into the ORDER BY clause, potentially compromising the database. This critical security flaw has been addressed in the specified versions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

commerce >= 4.0.0 < 4.10.2 < 4.0.0 4.10.2

commerce >= 5.0.0 < 5.5.3 < 5.0.0 5.5.3

References

https://github.com/craftcms/commerce/security/advisories/...
x_refsource_CONFIRM
https://github.com/craftcms/commerce/commit/b231b920b73db...
x_refsource_MISC
https://github.com/craftcms/commerce/commit/e4e0f4107cd89...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.