CVE-2026-32272
Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/commercePackagist | >= 5.0.0, < 5.6.0 | 5.6.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-2453-mppf-46cjnvdADVISORY
- github.com/advisories/GHSA-r54v-qq87-px5rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32272ghsaADVISORY
- github.com/craftcms/commerce/pull/4232nvdWEB
- github.com/craftcms/commerce/releases/tag/5.6.0nvdWEB
- github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5rnvdWEB
News mentions
11- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- SAP Patches Critical S/4HANA, Commerce VulnerabilitiesSecurityWeek · May 12, 2026
- SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANABleepingComputer · May 12, 2026
- The 2026 World Cup scam economy is already running before the first whistleMalwarebytes Labs · May 4, 2026
- Two cybersecurity pros get prison time for helping ransomware gangHelp Net Security · May 4, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 17SentinelOne Labs · Apr 24, 2026
- Medical data of 500,000 UK volunteers listed for sale on AlibabaMalwarebytes Labs · Apr 24, 2026
- Introducing the Agent Readiness score. Is your site agent-ready?Cloudflare Blog · Apr 17, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026
- Microsoft Patch Tuesday, March 2026 EditionKrebs on Security · Mar 11, 2026
- Is Poshmark safe? How to buy and sell without getting scammedESET WeLiveSecurity · Feb 19, 2026