CVE-2026-32271

Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 4.10.3 Craft Commerce versions prior to 5.5.5

Description An SQL injection exists in the Commerce TotalRevenue widget. This allows authenticated control panel users to achieve remote code execution through a four-step chain. The issue occurs when unsanitized widget settings are interpolated into SQL expressions, utilizing PDO's default multi-statement query support to inject a serialized PHP object into the queue table. When the queue consumer processes the job, an unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain, where the destruct() method writes a PHP webshell to the server's webroot. Queue processing is triggered via an unauthenticated endpoint.

Recommendations Update to version 4.10.3. Update to version 5.5.5.