VYPR
Get started
← All advisories
High severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026

Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting

CVE-2026-29172

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/commercePackagist
>= 4.0.0, < 4.10.24.10.2
craftcms/commercePackagist
>= 5.0.0, < 5.5.35.5.3

Affected products

1

Patches

2
e4e0f4107cd8

changelog

https://github.com/craftcms/commerceBrad BellJan 13, 2026via ghsa
commit
1 file changed · +1 1
  • CHANGELOG.md+1 1 modified
    @@ -3,7 +3,7 @@
 ## Unreleased
 
 - Fixed a bug where the order’s table was showing the incorrect column heading on the Edit User page.
-- Fixed XSS vulnerabilities.
+- Fixed a high-severity SQL injection vulnerability in the control panel. (GHSA-j3x5-mghf-xvfw)
 
 ## 4.10.1 - 2025-12-31
b231b920b73d

Fixed column typo and XSS

https://github.com/craftcms/commerceNathaniel HammondJan 5, 2026via ghsa
commit
3 files changed · +34 3
  • CHANGELOG.md+5 0 modified
    @@ -1,5 +1,10 @@
 # Release Notes for Craft Commerce
 
+## Unreleased
+
+- Fixed a bug where the order’s table was showing the incorrect column heading on the Edit User page.
+- Fixed XSS vulnerabilities.
+
 ## 4.10.1 - 2025-12-31
 
 - Fixed a bug where settings were being saved to the project config incorrectly. ([#4006](https://github.com/craftcms/commerce/issues/4006))
  • src/controllers/OrdersController.php+28 2 modified
    @@ -387,8 +387,26 @@ public function actionUserOrdersTable(): Response
             $orderQuery->search($search);
         }
 
+        $orderQuery->orderBy('dateOrdered DESC');
         if ($sort) {
-            [$field, $direction] = explode('|', $sort);
+            if (is_array($sort)) {
+                $field = $sort[0]['sortField'];
+                $direction = $sort[0]['direction'];
+            } else {
+                [$field, $direction] = explode('|', $sort);
+            }
+
+            // Validate sorting
+            if (!in_array($direction, ['asc', 'desc']) ||
+                !in_array($field, [
+                    'reference',
+                    'dateOrdered',
+                    'totalPrice',
+                ])
+            ) {
+                $field = null;
+                $direction = null;
+            }
 
             if ($field && $direction) {
                 $orderQuery->orderBy($field . ' ' . $direction);
@@ -399,7 +417,6 @@ public function actionUserOrdersTable(): Response
 
         $orderQuery->offset($offset);
         $orderQuery->limit($limit);
-        $orderQuery->orderBy('dateOrdered DESC');
         $orders = $orderQuery->all();
 
         $rows = [];
@@ -557,6 +574,15 @@ public function actionPurchasablesTable(): Response
         // Apply sorting if required
         if ($sort && strpos($sort, '|')) {
             [$column, $direction] = explode('|', $sort);
+
+            if (!in_array($column, [
+                'description',
+                'sku',
+                'price',
+            ])) {
+                $column = null;
+            }
+
             if ($column && in_array($direction, ['asc', 'desc'], true)) {
                 $sqlQuery->orderBy([$column => $direction == 'asc' ? SORT_ASC : SORT_DESC]);
             }
  • src/templates/_includes/users/_ordersTable.twig+1 1 modified
    @@ -12,7 +12,7 @@
 var orderColumns = [
     { name: '__slot:title', title: Craft.t('commerce', 'Order'), sortField: 'reference' },
     { name: 'date', title: Craft.t('commerce', 'Order Date'), sortField: 'dateOrdered' },
-    { name: 'total', title: Craft.t('commerce', 'Total Paid'), sortField: 'totalPaid' },
+    { name: 'total', title: Craft.t('commerce', 'Total'), sortField: 'totalPrice' },
     { name: 'orderStatus', title: Craft.t('commerce', 'Status'),
         callback: function(value) {
             return value;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.