CVE-2026-29174
HIGH
GHSA-pmgj-gmm4-jh6j
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.
Analysis
Craft Commerce versions prior to 5.5.3 contain an SQL injection vulnerability in the inventory levels endpoint where sort parameters are improperly sanitized, allowing authenticated users with Commerce Inventory access to execute arbitrary database queries. Public exploit code exists for this vulnerability, which could enable complete database compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Craft Commerce and determine current versions; isolate or restrict network access to affected instances if on versions prior to 5.5.3. Within 7 days: Apply vendor patch to upgrade all instances to version 5.5.3 or later; validate patch deployment in production. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today