PT-2026-24414 · Pixel & Tonic · Craft Commerce

Mhe4Am

·

Publicado

2026-03-10

·

Atualizado

2026-03-10

·

CVE-2026-29172

CVSS v3.1

8.8

Alta

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 4.10.2 Craft Commerce versions prior to 5.5.3
Description Craft Commerce, an ecommerce platform for Craft CMS, has a SQL Injection issue in the purchasables table endpoint. The sort parameter is split and the column name part is passed to the orderBy() function without proper validation. Yii2’s query builder does not escape array keys, which allows an authenticated attacker to inject SQL into the ORDER BY clause. The vulnerable endpoint is '/purchasables'. The vulnerable parameter is sort.
Recommendations Update to Craft Commerce version 4.10.2 or later. Update to Craft Commerce version 5.5.3 or later.

Exploit

Correção

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2026-29172
GHSA-J3X5-MGHF-XVFW

Produtos afetados

Craft Commerce