CVE-2026-29172

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-29172

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29172.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-29172

Aliases

GHSA-j3x5-mghf-xvfw

Published

2026-03-10T19:52:32.735Z

Modified

2026-04-10T05:42:28.074146Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting

Details

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.

Database specific

{
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29172.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/craftcms/commerce

Affected ranges

Type

GIT

Repo

https://github.com/craftcms/commerce

Events

Introduced

03fe68b8a09d05b028c510411b55af6cea6a089a

Fixed

1a8afefa20ab87fe52c1da5fe347d2549b0d358d

Introduced

266ccfd800264c4a0a7c22447112c097b0af7bae

Fixed

00debfb9b25ac0885cb0193dcb6ef4aba0c9e07e

Fixed

b231b920b73db023e81e5b261b894d73e865c276

Fixed

e4e0f4107cd895d29290523637f077fe280407b1

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.10.2"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.5.3"
        }
    ]
}

Affected versions

5.*

5.0.0

5.0.1

5.0.10

5.0.10.1

5.0.11

5.0.11.1

5.0.12

5.0.12.1

5.0.13

5.0.14

5.0.15

5.0.16

5.0.16.1

5.0.16.2

5.0.17

5.0.18

5.0.19

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.1.0

5.1.0.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.10

5.2.11

5.2.12

5.2.12.1

5.2.2

5.2.2.1

5.2.3

5.2.4

5.2.5

5.2.8

5.2.9

5.2.9.1

5.3.0

5.3.0.1

5.3.0.2

5.3.1

5.3.10

5.3.11

5.3.12

5.3.13

5.3.2

5.3.2.1

5.3.2.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.4.0

5.4.1

5.4.1.1

5.4.10

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.5.0

5.5.0.1

5.5.1

5.5.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29172.json"