CVE-2026-32271
Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/commercePackagist | >= 4.0.0, < 4.10.3 | 4.10.3 |
craftcms/commercePackagist | >= 5.0.0, < 5.5.5 | 5.5.5 |
Affected products
1Patches
13 files changed · +17 −0
CHANGELOG.md+1 −0 modified@@ -4,6 +4,7 @@ - Improved product index performance by not eager-loading variants for table attributes that are already fetched via SQL joins. ([#4236](https://github.com/craftcms/commerce/issues/4236)) - Fixed a bug where coupon codes would be automatically submitted too soon while entering them on order edit screens. +- Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SQL injection vulnerability in the control panel. (cnv_igxrft5) ## 5.5.4 - 2026-02-18
src/stats/TotalRevenue.php+5 −0 modified@@ -44,6 +44,11 @@ class TotalRevenue extends Stat */ public function getData(): ?array { + $allowedTypes = [self::TYPE_TOTAL, self::TYPE_TOTAL_PAID]; + if (!in_array($this->type, $allowedTypes, true)) { + $this->type = self::TYPE_TOTAL; + } + return $this->_createChartQuery( [ new Expression(sprintf('SUM([[%s]]) as revenue', $this->type)),
src/widgets/TotalRevenue.php+11 −0 modified@@ -52,6 +52,17 @@ class TotalRevenue extends Widget */ private TotalRevenueStat $_stat; + /** + * @inheritdoc + */ + protected function defineRules(): array + { + $rules = parent::defineRules(); + $rules[] = [['type'], 'in', 'range' => [TotalRevenueStat::TYPE_TOTAL, TotalRevenueStat::TYPE_TOTAL_PAID]]; + + return $rules; + } + /** * @inheritDoc */
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
11- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- SAP Patches Critical S/4HANA, Commerce VulnerabilitiesSecurityWeek · May 12, 2026
- SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANABleepingComputer · May 12, 2026
- The 2026 World Cup scam economy is already running before the first whistleMalwarebytes Labs · May 4, 2026
- Two cybersecurity pros get prison time for helping ransomware gangHelp Net Security · May 4, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 17SentinelOne Labs · Apr 24, 2026
- Medical data of 500,000 UK volunteers listed for sale on AlibabaMalwarebytes Labs · Apr 24, 2026
- Introducing the Agent Readiness score. Is your site agent-ready?Cloudflare Blog · Apr 17, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026
- Microsoft Patch Tuesday, March 2026 EditionKrebs on Security · Mar 11, 2026
- Is Poshmark safe? How to buy and sell without getting scammedESET WeLiveSecurity · Feb 19, 2026