Skip to main content

Commerce CVE-2026-32272

| EUVDEUVD-2026-22077 HIGH
SQL Injection (CWE-89)
2026-04-13 GitHub_M GHSA-r54v-qq87-px5r
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:35 vuln.today
Patch released
Apr 14, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 13, 2026 - 21:00 euvd
EUVD-2026-22077
Analysis Generated
Apr 13, 2026 - 21:00 vuln.today
CVE Published
Apr 13, 2026 - 20:25 nvd
HIGH 8.7

DescriptionGitHub Advisory

Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0.

AnalysisAI

SQL injection in Craft Commerce 5.0.0-5.5.4 allows authenticated control panel users to extract arbitrary database contents via ProductQuery::hasVariant and VariantQuery::hasProduct parameters that bypass prior sanitization fixes. Attackers can retrieve security keys to forge admin sessions and escalate privileges. Fixed in version 5.6.0. EPSS 0.03% (8th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.

Technical ContextAI

Craft Commerce is an e-commerce plugin for the Craft CMS content management system. This vulnerability (CWE-89: SQL Injection) exists in the ElementIndexesController's query handling logic. A prior security fix (GHSA-2453-mppf-46cj) implemented a blocklist to strip dangerous Yii2 Query properties like 'where' and 'orderBy' from user input. However, the ProductQuery::hasVariant and VariantQuery::hasProduct properties were not included in this blocklist. These properties internally invoke Yii2's Craft::configure() method on a subquery object without input sanitization, allowing attackers to inject arbitrary SQL through these nested query parameters. The vulnerability affects the CPE cpe:2.3:a:craftcms:commerce:*:*:*:*:*:*:*:* across versions 5.0.0 through 5.5.4. The exploit technique is boolean-based blind SQL injection, which allows iterative extraction of database contents through conditional true/false responses without direct data output.

RemediationAI

Upgrade Craft Commerce to version 5.6.0 or later, which contains the complete fix for this SQL injection bypass. The patch is available from the official release at https://github.com/craftcms/commerce/releases/tag/5.6.0 and documented in pull request https://github.com/craftcms/commerce/pull/4232. No workarounds are documented; upgrading is the primary remediation path. Organizations should audit control panel user permissions and review database access logs for suspicious query patterns during the exposure window. Consider rotating security keys and reviewing admin session activity if unauthorized database access is suspected.

CVE-2024-34102 CRITICAL POC
9.8 Jun 13

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML E

CVE-2021-27602 CRITICAL
9.9 Apr 13

SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create

CVE-2021-21477 CRITICAL
9.9 Feb 09

SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools r

CVE-2024-45115 CRITICAL
9.8 Oct 10

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication v

CVE-2024-34107 CRITICAL
9.8 Jun 13

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Access Control vulne

CVE-2022-34256 CRITICAL
9.8 Aug 16

Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improp

CVE-2021-42064 CRITICAL
9.8 Dec 14

If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterize

CVE-2020-6265 CRITICAL
9.8 Jun 09

SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an

CVE-2024-20717 MEDIUM POC
5.4 Feb 15

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vul

CVE-2025-24434 CRITICAL
9.1 Feb 11

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect A

CVE-2024-20720 CRITICAL
9.1 Feb 15

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special E

CVE-2024-20719 CRITICAL
9.1 Feb 15

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vul

Share

CVE-2026-32272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy