6 matches found
CVE-2026-29172 Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part column name is passed directly as an array key to orderBy without whitelist...
CVE-2026-29172
Craft Commerce (Craft CMS) is affected by a SQL Injection in the purchasables table sorting. Prior to versions 4.10.2 and 5.5.3, the sort parameter is split by | and the first part (column name) is used directly as an array key in orderBy() without whitelist validation, allowing an authenticated ...
EUVD-2026-10813
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting...
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
Summary Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part column name is passed directly as an array key to orderBy without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an...
GHSA-J3X5-MGHF-XVFW Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
Summary Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part column name is passed directly as an array key to orderBy without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an...
PT-2026-24627
Summary Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part column name is passed directly as an array key to orderBy without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an...