{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29172", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.712Z", "datePublished": "2026-03-10T19:52:32.735Z", "dateUpdated": "2026-03-11T14:12:53.450Z"}, "containers": {"cna": {"title": "Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw"}, {"name": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276"}, {"name": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1"}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"version": ">= 4.0.0 < 4.10.2", "status": "affected"}, {"version": ">= 5.0.0 < 5.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:52:32.735Z"}, "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3."}], "source": {"advisory": "GHSA-j3x5-mghf-xvfw", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:12:47.816068Z", "id": "CVE-2026-29172", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:12:53.450Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29172", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T14:12:47.816068Z"}}}], "references": [{"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:12:40.847Z"}}], "cna": {"title": "Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting", "source": {"advisory": "GHSA-j3x5-mghf-xvfw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"status": "affected", "version": ">= 4.0.0 < 4.10.2"}, {"status": "affected", "version": ">= 5.0.0 < 5.5.3"}]}], "references": [{"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "name": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276", "name": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1", "name": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:52:32.735Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29172", "state": "PUBLISHED", "dateUpdated": "2026-03-11T14:12:53.450Z", "dateReserved": "2026-03-04T14:44:00.712Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T19:52:32.735Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "21ABE060-9AA9-4E13-A387-89028A7D990F", "versionEndExcluding": "4.10.2", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "2690BD5E-2A88-4CDC-AAD6-DD02B96E1A46", "versionEndExcluding": "5.5.3", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3."}, {"lang": "es", "value": "Craft Commerce es una plataforma de comercio electr\u00f3nico para Craft CMS. Antes de las versiones 4.10.2 y 5.5.3, Craft Commerce es vulnerable a inyecciones SQL en el punto final de la tabla de productos adquiribles. El par\u00e1metro de ordenaci\u00f3n se divide mediante | y la primera parte (nombre de columna) se pasa directamente como clave de matriz a orderBy() sin validaci\u00f3n de lista blanca. El generador de consultas de Yii2 NO escapa las claves de matriz, lo que permite a un atacante autenticado inyectar SQL arbitrario en la cl\u00e1usula ORDER BY. Esta vulnerabilidad se ha corregido en las versiones 4.10.2 y 5.5.3."}], "id": "CVE-2026-29172", "lastModified": "2026-03-11T16:54:15.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-10T20:16:38.230", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1"}, {"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "[email protected]", "type": "Secondary"}]}

{}