Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.
References (3)
Core 3
Core References
Patch x_refsource_misc
https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
Vendor Advisory x_refsource_confirm
https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
Scores
CVSS v3
8.8
EPSS
0.0042
EPSS Percentile
33.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
craftcms/craft_commerce
4.0.0 - 4.10.2
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026