SQL Injection Vulnerability in Craft Commerce by Craft CMS
CVE-2026-32272

8.7HIGH

Key Information:

Vendor

Craftcms

Status
Commerce
Vendor
CVE Published:
13 April 2026

What is CVE-2026-32272?

Craft Commerce, an ecommerce platform for Craft CMS, is affected by an SQL injection vulnerability found in versions 5.0.0 through 5.5.4. This vulnerability arises in the ProductQuery::hasVariant and VariantQuery::hasProduct properties, which can bypass previously implemented input sanitization in the ElementIndexesController. Unlike other properties stripped from the Yii2 Query blocklist, hasVariant and hasProduct allow an attacker, with authenticated control panel access, to execute boolean-based blind SQL injection attacks. This can lead to unauthorized extraction of sensitive database content, including security keys that may enable session forgery for privilege escalation. The vulnerability has been addressed in version 5.6.0.

Affected Version(s)

commerce >= 5.0.0 < 5.6.0

References

https://github.com/craftcms/commerce/security/advisories/...
x_refsource_CONFIRM
https://github.com/craftcms/commerce/pull/4232
x_refsource_MISC
https://github.com/advisories/GHSA-2453-mppf-46cj
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.