SQL Injection Vulnerability in Craft Commerce by Craft CMS
CVE-2026-29174

8.7HIGH

Key Information:

Vendor

Craftcms

Status
Commerce
Vendor
CVE Published:
10 March 2026

What is CVE-2026-29174?

Craft Commerce, the ecommerce platform for Craft CMS, is susceptible to a SQL Injection flaw in its inventory levels table data endpoint prior to version 5.5.3. By exploiting the lack of validation and sanitization in the handling of the sort parameters, an authenticated attacker with access to the Commerce Inventory section may be able to execute arbitrary SQL queries. This could potentially compromise the entire database, exposing sensitive data and allowing for severe security breaches. The vulnerability has been remedied in version 5.5.3.

Affected Version(s)

commerce >= 5.0.0 < 5.5.3

References

https://github.com/craftcms/commerce/security/advisories/...
x_refsource_CONFIRM
https://github.com/craftcms/commerce/commit/094d69df24b92...
x_refsource_MISC
https://github.com/craftcms/commerce/commit/a2ea853935ef0...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.