High severityNVD Advisory· Published Mar 10, 2026· Updated Mar 10, 2026

Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting

CVE-2026-29174

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
craftcms/commercePackagist	>= 5.0.0, < 5.5.3	5.5.3

Affected products

Craftcms/Commercev5
Range: >= 5.0.0 < 5.5.3

Patches

a2ea853935ef

changelog

https://github.com/craftcms/commerceBrad BellJan 14, 2026via ghsa

commit

1 file changed · +1 −2

CHANGELOG.md+1 −2 modified

@@ -2,9 +2,8 @@
 
 ## Unreleased
 
-- Fixed XSS vulnerabilities.
 - Fixed a bug where the order’s table was showing the incorrect column heading on the Edit User page.
-- Fixed a high-severity SQL injection vulnerability in the control panel. (GHSA-j3x5-mghf-xvfw)
+- Fixed two high-severity SQL injection vulnerabilities in the control panel. (GHSA-j3x5-mghf-xvfw, GHSA-pmgj-gmm4-jh6j)
 
 ## 5.5.2 - 2025-12-31

094d69df24b9

Fixed inventory sorting XSS

https://github.com/craftcms/commerceNathaniel HammondJan 5, 2026via ghsa

commit

1 file changed · +19 −0

src/controllers/InventoryController.php+19 −0 modified

@@ -254,6 +254,25 @@ public function actionInventoryLevelsTableData(): Response
             $field = $sort[0]['sortField'];
             $direction = $sort[0]['direction'];
 
+            // Validate the sorting inputs
+            if (!in_array($direction, ['asc', 'desc']) ||
+                !in_array($field, [
+                    'item',
+                    'sku',
+                    'reservedTotal',
+                    'damagedTotal',
+                    'safetyTotal',
+                    'qualityControlTotal',
+                    'committedTotal',
+                    'availableTotal',
+                    'onHandTotal',
+                    'incomingTotal',
+                ])) {
+
+                $field = null;
+                $direction = null;
+            }
+
             if ($field && $direction) {
                 if ($field == 'sku') {
                     $field = 'purchasables.sku';

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-pmgj-gmm4-jh6jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-29174ghsaADVISORY
github.com/craftcms/commerce/commit/094d69df24b925544f337c38e2ec1effcd5395c7ghsax_refsource_MISCWEB
github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7bghsax_refsource_MISCWEB
github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6jghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000