Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-7mwe-pr8b-27b9
Vulnerability ID VCID-7mwe-pr8b-27b9
Aliases CVE-2026-29172
GHSA-j3x5-mghf-xvfw
Summary Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-29172
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-29172
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-j3x5-mghf-xvfw
cvssv4 8.7 https://github.com/craftcms/commerce
generic_textual HIGH https://github.com/craftcms/commerce
cvssv4 8.7 https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
generic_textual HIGH https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
ssvc Track* https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
cvssv4 8.7 https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
generic_textual HIGH https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
ssvc Track* https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
cvssv3.1_qr HIGH https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
cvssv4 8.7 https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
generic_textual HIGH https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
ssvc Track* https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2026-29172
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-29172
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-29172
https://github.com/craftcms/commerce
b231b920b73db023e81e5b261b894d73e865c276 https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
CVE-2026-29172 https://nvd.nist.gov/vuln/detail/CVE-2026-29172
e4e0f4107cd895d29290523637f077fe280407b1 https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
GHSA-j3x5-mghf-xvfw https://github.com/advisories/GHSA-j3x5-mghf-xvfw
GHSA-j3x5-mghf-xvfw https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/craftcms/commerce
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/ Found at https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/ Found at https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:12:47Z/ Found at https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-29172
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0312
EPSS Score 0.00015
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:46:57.509592+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/29xxx/CVE-2026-29172.json 38.6.0