SQL Injection in Craftcms Commerce

CVE-2026-29172

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed…

Vulnerability class: SQL Injection

EPSS: 0.000 (3.2th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 4.0.0 < 4.10.2, >= 5.0.0 < 5.5.3

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276 (x_refsource_MISC)
https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1 (x_refsource_MISC)