CVE-2026-32272

Description

## Overview Craft Commerce’s `ProductQuery::hasVariant` and `VariantQuery::hasProduct` properties bypass the `unset()` blocklist added to `ElementIndexesController` in GHSA-2453-mppf-46cj. The blocklist only strips top-level Yii2 Query properties (`where`, `orderBy`, etc.), but `hasVariant` and `hasProduct` pass through untouched. Internally, these properties call `Craft::configure()` on a subquery without sanitization, re-introducing SQL injection via `criteria[hasVariant][where]=INJECTED_SQL`. An authenticated control panel user can perform boolean-based blind SQL injection through the patched `ElementIndexesController` and extract arbitrary database contents. ## Impact * Full database read access via blind SQL injection * Privilege escalation via security key extraction → forged admin sessions ## Prerequisites * Authenticated control panel user * Commerce plugin installed * Products with variants in the database

How to fix CVE-2026-32272

To remediate CVE-2026-32272, upgrade the affected package to a fixed version below.

• —upgrade to 5.6.0 or later

Is CVE-2026-32272 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 5.0.0, < 5.6.0

CVSS scores

References (6)

• ADVISORYgithub.com/advisories/GHSA-2453-mppf-46cj
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32272
• PATCHgithub.com/craftcms/commerce
• WEBgithub.com/craftcms/commerce/pull/4232
• WEBgithub.com