CVE-2026-32272

Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 5.6.0

Description An SQL injection exists in the ecommerce platform for Craft CMS. The hasVariant property of ProductQuery and the hasProduct property of VariantQuery bypass the input sanitization blocklist in ElementIndexesController. These properties internally call the (Craft::configure()) function on a subquery without sanitization. Authenticated control panel users can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation.

Recommendations Update to version 5.6.0. As a temporary workaround, avoid using the hasVariant and hasProduct properties in queries until the update is applied.