CVE-2026-29174

Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 5.5.3

Description Craft Commerce, an ecommerce platform for Craft CMS, has a SQL Injection issue in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are directly added to an addOrderBy() clause without proper validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject SQL queries, potentially compromising the entire database.

Recommendations Update to version 5.5.3 or later.