CVE-2026-32271
Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
Description
## Summary A SQL injection in the Commerce TotalRevenue widget can lead to remote code execution through a chain of four vulnerabilities: * SQL Injection -- The TotalRevenue stat interpolates unsanitized widget settings directly into a sprintf-based SQL Expression. Any control panel user can create any widget type without permission checks. * PDO Multi-Statement Queries -- PHP `PDO MySQL` enables `CLIENT_MULTI_STATEMENTS` by default. Neither Yii2 nor Craft CMS disables it. This allows stacking an INSERT statement after the injected SELECT , writing a maliciously serialized PHP object into the queue table. * Unrestricted `unserialize()` -- The yii2-queue PhpSerializer calls `unserialize()` with no allowed_classes restriction on every queue job. When the queue consumer processes the injected job, it instantiates the attacker-controlled object. * Gadget Chain (FileCookieJar) -- `GuzzleHttp\Cookie\FileCookieJar` (a standard Guzzle dependency) has an unguarded `__destruct()` method that calls `file_put_contents()`. The attacker’s serialized payload writes a PHP webshell to the server’s webroot. PHP tags survive `json_encode()` because Guzzle uses `options=0` (no `JSON_HEX_TAG`). The complete chain requires 3 HTTP requests and achieves arbitrary command execution as the PHP process user. Queue processing is triggered via GET `/actions/queue/run`, an endpoint that requires no authentication (`$allowAnonymous = ['run']`). ## RCE Exploitation Steps * Authenticate as any control panel user * POST to `/admin/actions/dashboard/create-widget` with stacked SQL injection: * `settings[type]` contains the stacked INSERT with the serialized gadget chain * Response: HTTP 500 (expected -- INSERT already committed) * Trigger queue processing: `GET /actions/queue/run` * Queue consumer deserializes the gadget chain * `FileCookieJar::__destruct()` writes webshell to webroot * Access the webshell: `GET /poc_rce.php?c=id` * Response: `uid=1000(home) gid=1000(home) groups=1000(home)`
How to fix CVE-2026-32271
To remediate CVE-2026-32271, upgrade the affected package to a fixed version below.
- —upgrade to 4.10.3 or later
Is CVE-2026-32271 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.