CVE-2026-29174

UNKNOWN 0.0

Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.

CWE	CWE-89
Vendor	craftcms
Product	commerce
Published	Mar 10, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms commerce

Be the first to know when new unknown vulnerabilities affecting craftcms commerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / commerce

>= 5.0.0 < 5.5.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j github.com: https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7 github.com: https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b