anonhaven
Ad

CVE-2026-29174

HIGH CVSS 4.0: 8.7 EPSS 0.01%
Updated Mar 10, 2026
Craft
Parameter Value
CVSS 8.7 (HIGH)
Fixed In 5.5.3
Type CWE-89 (SQL Injection)
Vendor Craft
Public PoC No

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization.

An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-89 SQL Injection

References 3

https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5…
security-advisories@github.com
https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5…
security-advisories@github.com
https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j
security-advisories@github.com
Share Post Share Share Share