Skip to main content

Craft Commerce CVE-2026-55795

MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-06-19 https://github.com/craftcms/commerce GHSA-h5gm-x9wr-vhcm
Share

Severity by source

vuln.today AI
5.3 MEDIUM

Network-reachable guest cart endpoint, no authentication needed, confidentiality impact limited to coupon code disclosure only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 23:37 vuln.today
Analysis Generated
Jun 19, 2026 - 23:37 vuln.today

DescriptionCVE.org

Summary

The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided.

Details

When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.

Vulnerable Code <img width="864" height="90" alt="resim" src="https://github.com/user-attachments/assets/a5197f10-f1fd-4331-93f9-9479d0ceebba" />

<img width="881" height="272" alt="resim" src="https://github.com/user-attachments/assets/d9db963f-5d1f-4b00-a4b4-5f2dfe2b71dd" />

<img width="861" height="271" alt="resim" src="https://github.com/user-attachments/assets/f7842493-3bc0-4e99-956c-7266bab15703" />

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

<img width="909" height="171" alt="resim" src="https://github.com/user-attachments/assets/cfc8c994-5e0c-48de-b728-464029beba0e" />

Impact

An attacker can enumerate all coupon codes through automated requests.

Remediation Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.

AnalysisAI

Craft Commerce's CartController exposes a coupon code brute-force vector by conditionally applying rate limiting only when the 'number' parameter is present in a request. Unauthenticated attackers targeting the session-based cart endpoint can omit the 'number' parameter entirely, bypassing IP-based rate limiting and submitting unlimited coupon code guesses via automated requests. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Craft Commerce cart update endpoint
Delivery
Submit couponCode param without 'number' param
Exploit
Rate limiter remains inactive
Execution
Automate high-volume coupon guesses
Persist
Receive application success response for valid code
Impact
Apply or distribute valid coupon

Vulnerability AssessmentAI

Exploitation The rate limit bypass is triggered when a request to the CartController's actionUpdateCart endpoint includes a couponCode parameter but omits the 'number' parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No vendor-supplied CVSS vector is available, so risk signals must be assembled from description and structural analysis. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scripts an HTTP client to repeatedly POST to the Craft Commerce cart update endpoint with varied couponCode values but without the 'number' parameter, bypassing the IP-based rate limiter entirely. With no throttle in place, the attacker cycles through a wordlist of common coupon patterns (e.g., SUMMER25, WELCOME10) at high speed until the application returns a success response indicating a valid code. …
Remediation Upgrade Craft Commerce to version 4.11.2 (for 4.x deployments) or 5.6.5 (for 5.x deployments), which extend rate limiting to cart requests that include a couponCode parameter. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy