CVE-2026-29174
Published: 10 March 2026
Summary
CVE-2026-29174 is a high-severity SQL Injection (CWE-89) vulnerability in Craftcms Craft Commerce. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires the system to validate information inputs, directly preventing SQL injection by ensuring vulnerable sort[0][direction] and sort[0][sortField] parameters are sanitized before concatenation into addOrderBy() SQL clauses.
Mandates timely flaw remediation, such as patching Craft Commerce to version 5.5.3 to eliminate the SQL injection vulnerability in the inventory levels endpoint.
Provides vulnerability monitoring and scanning to identify SQL injection flaws like CVE-2026-29174 in the Commerce Inventory section endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in internet-facing Craft Commerce web app (authenticated but low-priv inventory endpoint) directly enables remote exploitation of the application (T1190) to achieve full DB compromise; this constitutes exploitation for privilege escalation (T1068) and facilitates arbitrary data access/modification from the backend database (T1213.006).
NVD Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any…
more
validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.
Deeper analysisAI
CVE-2026-29174 is a SQL injection vulnerability affecting Craft Commerce, an ecommerce platform for Craft CMS, in versions prior to 5.5.3. The issue resides in the inventory levels table data endpoint, where the sort[0][direction] and sort[0][sortField] parameters are directly concatenated into an addOrderBy() clause without validation or sanitization, allowing arbitrary SQL injection (CWE-89). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
An authenticated attacker with access to the Commerce Inventory section can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the vulnerable sort parameters, the attacker can inject arbitrary SQL queries, potentially leading to full database compromise, including data exfiltration, modification, or deletion.
The vulnerability is fixed in Craft Commerce version 5.5.3. Security practitioners should upgrade to this version immediately. Additional details on the patch are available in the GitHub security advisory (GHSA-pmgj-gmm4-jh6j) and related commits (094d69df24b925544f337c38e2ec1effcd5395c7 and a2ea853935ef03297ea1298bdb0d8c55ec5daf7b).
Details
- CWE(s)