CVE-2026-29172
Published: 10 March 2026
Summary
CVE-2026-29172 is a high-severity SQL Injection (CWE-89) vulnerability in Craftcms Craft Commerce. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied inputs like the sort parameter to prevent SQL injection into the ORDER BY clause.
Ensures timely remediation of the specific SQL injection flaw by applying patches in Craft Commerce 4.10.2 or 5.5.3.
Vulnerability scanning identifies SQL injection flaws in endpoints like purchasables table prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in the purchasables endpoint of the public-facing Craft Commerce web application directly enables exploitation of a public-facing application (T1190) by an authenticated low-privileged user, allowing arbitrary SQL in ORDER BY for data access/modification/disruption.
NVD Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is…
more
passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.
Deeper analysisAI
CVE-2026-29172 is a SQL injection vulnerability in Craft Commerce, an ecommerce platform for Craft CMS, affecting versions prior to 4.10.2 and 5.5.3. The flaw occurs in the purchasables table endpoint, where the sort parameter is split by the "|" character, and the first part—intended as a column name—is passed directly as an array key to Yii2's orderBy() method without whitelist validation. Yii2's query builder does not escape array keys, enabling injection of arbitrary SQL into the ORDER BY clause. Published on 2026-03-10, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-89.
An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low attack complexity and no user interaction. By crafting a malicious sort parameter, they can inject SQL into the ORDER BY clause, potentially achieving high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption of database operations.
The vulnerability is addressed in Craft Commerce 4.10.2 and 5.5.3. Official mitigation guidance and patch details are provided in the GitHub security advisory at https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw, along with the fixing commits https://github.com/craftcms/commerce/commit/b231b920b73db023e81e5b261b894d73e865c276 and https://github.com/craftcms/commerce/commit/e4e0f4107cd895d29290523637f077fe280407b1.
Details
- CWE(s)