Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j
Patch x_refsource_misc
https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7
Scores
CVSS v3
8.8
EPSS
0.0044
EPSS Percentile
34.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
craftcms/craft_commerce
5.0.0 - 5.5.3
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026