Skip to main content

PHP EUVD-2026-22075

| CVE-2026-32271 HIGH
SQL Injection (CWE-89)
2026-04-13 GitHub_M GHSA-875v-7m49-8x88
SQLi Deserialization RCE PHP
7.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:35 vuln.today
Patch released
Apr 14, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 13, 2026 - 21:00 euvd
EUVD-2026-22075
Analysis Generated
Apr 13, 2026 - 21:00 vuln.today
CVE Published
Apr 13, 2026 - 20:19 nvd
HIGH 7.7

DescriptionGitHub Advisory

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.

AnalysisAI

Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to control panel
Delivery
Create malicious TotalRevenue widget with SQL injection payload
Exploit
Inject serialized FileCookieJar object into queue table
Install
Trigger queue processing via unauthenticated endpoint
C2
Deserialize malicious object
Execute
Execute __destruct() gadget chain
Impact
Write PHP webshell to webroot
Step 8
Execute arbitrary commands via HTTP
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated access to Craft CMS control panel with permissions to create or modify dashboard widgets (default for most non-guest user roles including editors, marketers, and shop managers). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate despite high CVSS 7.7 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privileged Craft CMS control panel credentials (such as a content editor or customer service role) creates a malicious TotalRevenue dashboard widget with specially crafted settings containing SQL injection payloads. The injected SQL writes a serialized GuzzleHttp FileCookieJar object into the queue database table with properties configured to write a PHP webshell when deserialized. …
Remediation Upgrade immediately to Craft Commerce 4.10.3 or 5.5.5 depending on major version branch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Craft Commerce 4.x and 5.x instances in your environment and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-22075 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy