{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32272", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.400Z", "datePublished": "2026-04-13T20:25:50.420Z", "dateUpdated": "2026-04-14T16:28:47.197Z"}, "containers": {"cna": {"title": "Craft Commerce: Blind SQL Injection via hasVariant/hasProduct", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r"}, {"name": "https://github.com/craftcms/commerce/pull/4232", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/pull/4232"}, {"name": "https://github.com/advisories/GHSA-2453-mppf-46cj", "tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-2453-mppf-46cj"}, {"name": "https://github.com/craftcms/commerce/releases/tag/5.6.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/commerce/releases/tag/5.6.0"}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"version": ">= 5.0.0 < 5.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T20:25:50.420Z"}, "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0."}], "source": {"advisory": "GHSA-r54v-qq87-px5r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:28:46.125041Z", "id": "CVE-2026-32272", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:28:47.197Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32272", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T15:28:46.125041Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:28:54.549Z"}}], "cna": {"title": "Craft Commerce: Blind SQL Injection via hasVariant/hasProduct", "source": {"advisory": "GHSA-r54v-qq87-px5r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "commerce", "versions": [{"status": "affected", "version": ">= 5.0.0 < 5.6.0"}]}], "references": [{"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r", "name": "https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/commerce/pull/4232", "name": "https://github.com/craftcms/commerce/pull/4232", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/advisories/GHSA-2453-mppf-46cj", "name": "https://github.com/advisories/GHSA-2453-mppf-46cj", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/commerce/releases/tag/5.6.0", "name": "https://github.com/craftcms/commerce/releases/tag/5.6.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T20:25:50.420Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32272", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:28:47.197Z", "dateReserved": "2026-03-11T15:05:48.400Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T20:25:50.420Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0."}], "id": "CVE-2026-32272", "lastModified": "2026-04-13T21:16:24.410", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T21:16:24.410", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/advisories/GHSA-2453-mppf-46cj"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/commerce/pull/4232"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/commerce/releases/tag/5.6.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "commerce", "source": "cna", "vendor": "craftcms"}, "product": "commerce", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-13T21:33:55.611578+00:00", "value": {"mitigation_remediation": ["Upgrade Craft Commerce to version 5.6.0 or later, which removes the vulnerable query paths.", "Confirm that the upgrade applied successfully by checking the deployed version number.", "Review and tighten control\u2011panel access, ensuring only trusted administrators can log in.", "Enable multi-factor authentication on the control\u2011panel to reduce the risk of credential compromise.", "Patch any custom code or plugins that may interact with ProductQuery or VariantQuery to avoid legacy injection paths."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via SQL Injection"}, "threat_synthesis": {"affected_systems": "Affected systems include all installations of Craft Commerce by craftcms, specifically vendors \"craftcms:commerce\" running versions 5.0.0 to 5.5.4. The issue was remediated in the 5.6.0 release, which removes the unsanitized path and applies proper query sanitization. Users should verify that their environment is upgraded to at least version 5.6.0 to eliminate the vulnerability.", "description_and_impact": "The vulnerability is a blind SQL injection in Craft Commerce versions 5.0.0 through 5.5.4. The ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the blocklist applied to ElementIndexesController, causing an unsanitized subquery to be executed. Any authenticated control\u2011panel user can send crafted boolean queries that return true or false, allowing extraction of arbitrary database content, including secret security keys that can be used to forge administrative sessions and gain elevated privileges.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates high severity, and the absence of an EPSS score suggests that public data about exploit usage is not yet available. The vulnerability is not listed in the CISA KEV catalog, implying no known public exploitation yet, but its exploitation requires only an authenticated control\u2011panel user. Because it permits extraction of sensitive database values and possible session forging, the risk is significant. Administrators should assume the likelihood of exploitation is real, especially if the environment contains a tainted or compromised CP access."}}}}, "created": "2026-04-14T16:18:15.201797+00:00", "updated": "2026-04-14T16:33:22.372951+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$commerce"]}