CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

8 matches found

OSV•added 2026/04/14 12:6 a.m.•2 views

GHSA-R54V-QQ87-PX5R Craft Commerce hasVariant/hasProduct Blind SQL Injection

Overview Craft Commerce’s ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the unset blocklist added to ElementIndexesController in GHSA-2453-mppf-46cj. The blocklist only strips top-level Yii2 Query properties where, orderBy, etc., but hasVariant and hasProduct pass throug...

8.7CVSS6AI score0.00039EPSS

Exploits0References6

EUVD•added 2026/04/14 12:6 a.m.•2 views

EUVD-2026-22077

Craft Commerce hasVariant/hasProduct Blind SQL Injection...

8.7CVSS5.9AI score0.00039EPSS

Exploits0References5

Github Security Blog•added 2026/04/14 12:6 a.m.•3 views

Craft Commerce hasVariant/hasProduct Blind SQL Injection

8.7CVSS6AI score0.00039EPSS

Exploits0References6Affected Software1

NVD•added 2026/04/13 9:16 p.m.•0 views

CVE-2026-32272

Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fi...

8.7CVSS0.00039EPSS

Exploits0References4

Snyk•added 2026/04/13 9:11 p.m.•2 views

SQL Injection

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to SQL Injection via the hasVariant or hasProduct properties, which bypass input sanitization in subqueries. An attacker can extract arbitrary database contents, including sensitive security keys, by...

8.8CVSS6.1AI score0.00039EPSS

Exploits0References2