SQL Injection in Craftcms Commerce

CVE-2026-32271

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user…

Vulnerability class: SQL Injection

EPSS: 0.001 (23.6th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 4.0.0, < 4.10.3, >= 5.0.0, < 5.5.5

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88 (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72 (x_refsource_MISC)