Cyber Resilience

CVE-2026-29172

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29172 is a high-severity SQL Injection (CWE-89) vulnerability in Craftcms Craft Commerce. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-29172 is a SQL injection vulnerability in Craft Commerce, an ecommerce platform for Craft CMS, affecting versions prior to 4.10.2 and 5.5.3. The flaw occurs in the purchasables table endpoint, where the sort parameter is split by the "|" character, and the first part—intended as a column name—is passed directly as an array key to Yii2's orderBy() method without whitelist validation. Yii2's query builder does not escape array keys, enabling injection of arbitrary SQL into the ORDER BY clause. Published on 2026-03-10, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-89.

An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low attack complexity and no user interaction. By crafting a malicious sort parameter, they can inject SQL into the ORDER BY clause, potentially achieving high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption of database operations.

The vulnerability is addressed in Craft Commerce 4.10.2 and 5.5.3. Official mitigation guidance and patch details are provided in the GitHub security advisory at https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw, along with the fixing commits https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276 and https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is…

more

passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in the purchasables endpoint of the public-facing Craft Commerce web application directly enables exploitation of a public-facing application (T1190) by an authenticated low-privileged user, allowing arbitrary SQL in ORDER BY for data access/modification/disruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29174Same product: Craftcms Craft Commerce
CVE-2026-25495Same vendor: Craftcms
CVE-2026-31858Same vendor: Craftcms
CVE-2026-25498Same vendor: Craftcms
CVE-2025-68455Same vendor: Craftcms
CVE-2025-23209Same vendor: Craftcms
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89

Affected Assets

craftcms
craft commerce
4.0.0 — 4.10.2 · 5.0.0 — 5.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied inputs like the sort parameter to prevent SQL injection into the ORDER BY clause.

prevent

Ensures timely remediation of the specific SQL injection flaw by applying patches in Craft Commerce 4.10.2 or 5.5.3.

detect

Vulnerability scanning identifies SQL injection flaws in endpoints like purchasables table prior to exploitation.

References