Nathaniel Hammond

6 exploits Active since Mar 2026
CVE-2026-29172 WRITEUP HIGH WRITEUP
Craft Commerce <4.10.2/5.5.3 - SQL Injection
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.
CVSS 8.8
CVE-2026-29173 WRITEUP MEDIUM WRITEUP
Craft Commerce 4.0.0-4.10.1 - Stored Cross-Site Scripting in Order Status Update
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.
CVSS 4.8
CVE-2026-29174 WRITEUP HIGH WRITEUP
Craft Commerce <5.5.3 - SQL Injection
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.
CVSS 8.8
CVE-2026-29175 WRITEUP MEDIUM WRITEUP
Craft Commerce 5.0.0-5.5.2 - Stored Cross-Site Scripting in Inventory Page Fields
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page. This vulnerability is fixed in 5.5.3.
CVSS 5.4
CVE-2026-29176 WRITEUP MEDIUM WRITEUP
Craft Commerce 5.0.0-5.5.2 - Stored Cross-Site Scripting in Inventory Locations Name Field
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. This vulnerability is fixed in 5.5.3.
CVSS 4.8
CVE-2026-29177 WRITEUP MEDIUM WRITEUP
Craft Commerce 4.0.0-4.10.1 - Stored Cross-Site Scripting via Shipping Method Name, Order Reference, or Site Name
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.
CVSS 5.4