SQL Injection in Craftcms Commerce

CVE-2026-29174

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated dir…

Vulnerability class: SQL Injection

EPSS: 0.000 (3.2th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 5.0.0 < 5.5.3

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7 (x_refsource_MISC)
https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b (x_refsource_MISC)