Craft Commerce CVE-2026-55795
MEDIUMSeverity by source
Network-reachable guest cart endpoint, no authentication needed, confidentiality impact limited to coupon code disclosure only.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Summary
The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided.
Details
When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.
Vulnerable Code <img width="864" height="90" alt="resim" src="https://github.com/user-attachments/assets/a5197f10-f1fd-4331-93f9-9479d0ceebba" />
<img width="881" height="272" alt="resim" src="https://github.com/user-attachments/assets/d9db963f-5d1f-4b00-a4b4-5f2dfe2b71dd" />
<img width="861" height="271" alt="resim" src="https://github.com/user-attachments/assets/f7842493-3bc0-4e99-956c-7266bab15703" />
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
<img width="909" height="171" alt="resim" src="https://github.com/user-attachments/assets/cfc8c994-5e0c-48de-b728-464029beba0e" />
Impact
An attacker can enumerate all coupon codes through automated requests.
Remediation Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.
AnalysisAI
Craft Commerce's CartController exposes a coupon code brute-force vector by conditionally applying rate limiting only when the 'number' parameter is present in a request. Unauthenticated attackers targeting the session-based cart endpoint can omit the 'number' parameter entirely, bypassing IP-based rate limiting and submitting unlimited coupon code guesses via automated requests. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The rate limit bypass is triggered when a request to the CartController's actionUpdateCart endpoint includes a couponCode parameter but omits the 'number' parameter. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No vendor-supplied CVSS vector is available, so risk signals must be assembled from description and structural analysis. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scripts an HTTP client to repeatedly POST to the Craft Commerce cart update endpoint with varied couponCode values but without the 'number' parameter, bypassing the IP-based rate limiter entirely. With no throttle in place, the attacker cycles through a wordlist of common coupon patterns (e.g., SUMMER25, WELCOME10) at high speed until the application returns a success response indicating a valid code. … |
| Remediation | Upgrade Craft Commerce to version 4.11.2 (for 4.x deployments) or 5.6.5 (for 5.x deployments), which extend rate limiting to cart requests that include a couponCode parameter. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-h5gm-x9wr-vhcm