{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32271", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.400Z", "datePublished": "2026-04-13T20:19:19.486Z", "dateUpdated": "2026-04-13T20:19:19.486Z"}, "containers": {"cna": {"title": "Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88"}, {"name": "https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72"}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"version": ">= 4.0.0, < 4.10.3", "status": "affected"}, {"version": ">= 5.0.0, < 5.5.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T20:19:19.486Z"}, "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5."}], "source": {"advisory": "GHSA-875v-7m49-8x88", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5."}], "id": "CVE-2026-32271", "lastModified": "2026-04-13T21:16:24.260", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T21:16:24.260", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.10.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.5.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "commerce", "source": "cna", "vendor": "craftcms"}, "product": "commerce", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-13T21:46:16.395512+00:00", "value": {"mitigation_remediation": ["Apply the latest Craft Commerce update (4.10.3 or higher, or 5.5.5 or higher).", "Disable or remove the TotalRevenue widget until the update is applied.", "If immediate patching is not possible, restrict or disable the queue consumer endpoint to prevent processed jobs from executing."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Craft Commerce releases 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4 when the TotalRevenue widget is in use. Versions 4.10.3 and later, and 5.5.5 and later, contain the fix and are not affected.", "description_and_impact": "Craft Commerce is vulnerable to an SQL injection flaw within the TotalRevenue widget. Unsanitized widget settings are inserted directly into SQL expressions, allowing a logged\u2011in control\u2011panel user to inject a malicious PHP object. Through PDO\u2019s default multi\u2011statement support this object is added to the queue table. When the Yii2\u2011queue consumer processes the job it unserializes the injected payload, triggering a GuzzleHttp FileCookieJar gadget that writes a PHP webshell to the site\u2019s webroot. The entire exploit chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the web\u2011server\u2019s PHP process.", "risk_and_exploitability": "The CVSS score of 7.7 assigns this flaw a high severity. Since the EPSS score is not available, the likelihood of exploitation cannot be quantified, but the exploit requires only minimal effort: three HTTP requests, an authenticated control\u2011panel login, and an unauthenticated queue consumer endpoint. The vulnerability is not currently listed in CISA\u2019s KEV catalog. The impact is full arbitrary command execution, which can lead to complete server compromise if the web\u2011server user owns critical resources."}}}}, "created": "2026-04-14T16:18:16.214123+00:00", "updated": "2026-04-14T16:33:23.508298+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$commerce"]}