Skip to main content

Craft Commerce CVE-2026-31867

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-11 security-advisories@github.com GHSA-vff3-pqq8-4cpq
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 11, 2026 - 18:16 nvd
MEDIUM 4.8

DescriptionGitHub Advisory

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.

AnalysisAI

Craft Commerce versions prior to 4.11.0 and 5.6.0 contain an IDOR vulnerability in the cart functionality that allows unauthenticated attackers to access and modify arbitrary shopping carts by guessing or knowing their 32-character identifiers. The CartController fails to validate cart ownership, enabling attackers to hijack active shopping sessions and potentially access sensitive customer information. No patch is currently available for affected versions.

Technical ContextAI

This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) affects Craft Commerce is an ecommerce platform for Craft CMS.. Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester h

RemediationAI

Fixed in version 4.11.0.

CVE-2026-29172 HIGH POC
8.8 Mar 10

SQL injection in Craft Commerce's purchasables endpoint allows authenticated attackers to manipulate the sort parameter

CVE-2026-29174 HIGH POC
8.8 Mar 10

Craft Commerce versions prior to 5.5.3 contain an SQL injection vulnerability in the inventory levels endpoint where sor

CVE-2026-29175 MEDIUM POC
5.4 Mar 10

Craft Commerce versions before 5.5.3 contain stored cross-site scripting (XSS) vulnerabilities in the inventory manageme

CVE-2026-25483 MEDIUM POC
5.4 Feb 03

Stored XSS in Craft Commerce's Order Status History Message (versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1)

CVE-2026-29177 MEDIUM POC
5.4 Mar 10

Stored XSS in Craft Commerce Order details allows authenticated users to inject malicious scripts through Shipping Metho

CVE-2026-25488 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with h

CVE-2026-25487 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with h

CVE-2026-25486 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce versions 5.0.0 through 5.5.1 permits authenticated attackers with administrative privileges

CVE-2026-25522 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high p

CVE-2026-25482 MEDIUM POC
4.8 Feb 03

Craft Commerce versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 contain a stored DOM-based XSS vulnerability in

CVE-2026-25490 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high p

CVE-2026-25489 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high p

Share

CVE-2026-31867 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy