CVE-2026-32272

UNKNOWN 0.0

Craft Commerce: Blind SQL Injection via hasVariant/hasProduct

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0.

CWE	CWE-89
Vendor	craftcms
Product	commerce
Published	Apr 13, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms commerce

Be the first to know when new unknown vulnerabilities affecting craftcms commerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / commerce

>= 5.0.0 < 5.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r github.com: https://github.com/craftcms/commerce/pull/4232 github.com: https://github.com/advisories/GHSA-2453-mppf-46cj github.com: https://github.com/craftcms/commerce/releases/tag/5.6.0