Approved changes feed: RSS · Atom
cpe:2.3:a:craftcms:commerce:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Craftcms (251e238f-ce53-56ed-bc94-804b74356686) |
|---|---|
| Product | Commerce (993e2f9d-9e55-5b89-8c93-d43fa25fcc87) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:composer/craftcms/commerce |
purl2cpe | 2026-06-01 10:17:09.798387 |
pkg:github/craftcms/commerce |
purl2cpe | 2026-06-01 10:17:09.798389 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-32272 |
vulnerable | 2026-06-08 07:57:17.334440 |
Craft Commerce: Blind SQL Injection via hasVariant/hasProduct
Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0.
Published: 2026-04-13T20:25:50.420Z
Updated: 2026-04-14T16:28:47.197Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32271 |
vulnerable | 2026-06-08 07:57:17.334201 |
Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.
Published: 2026-04-13T20:19:19.486Z
Updated: 2026-04-16T13:26:40.649Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32270 |
vulnerable | 2026-06-08 07:57:17.333950 |
Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.
Published: 2026-04-13T20:08:05.032Z
Updated: 2026-04-14T15:25:04.635Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-31867 |
vulnerable | 2026-06-08 07:57:16.016742 |
Craft Commerce has a Potential IDOR in Commerce carts
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.
Published: 2026-03-11T17:52:18.298Z
Updated: 2026-03-12T13:49:48.940Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-29177 |
vulnerable | 2026-06-08 07:55:16.179107 |
Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. This vulnerability is fixed in 4.10.2 and 5.5.3.
Published: 2026-03-10T20:01:06.968Z
Updated: 2026-03-10T20:12:39.344Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-29176 |
vulnerable | 2026-06-08 07:55:16.178797 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-29175 |
vulnerable | 2026-06-08 07:55:16.178298 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-29174 |
vulnerable | 2026-06-08 07:55:16.177878 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-29173 |
vulnerable | 2026-06-08 07:55:16.177328 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-29172 |
vulnerable | 2026-06-08 07:55:16.176003 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25522 |
vulnerable | 2026-06-08 07:53:19.931759 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25490 |
vulnerable | 2026-06-08 07:53:19.871819 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25489 |
vulnerable | 2026-06-08 07:53:19.866515 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25488 |
vulnerable | 2026-06-08 07:53:19.865954 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25487 |
vulnerable | 2026-06-08 07:53:19.865485 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25486 |
vulnerable | 2026-06-08 07:53:19.865047 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25485 |
vulnerable | 2026-06-08 07:53:19.864689 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25484 |
vulnerable | 2026-06-08 07:53:19.863982 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25483 |
vulnerable | 2026-06-08 07:53:19.863406 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25482 |
vulnerable | 2026-06-08 07:53:19.860492 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.