CVE-2026-32272— Craft Commerce: Blind SQL Injection via hasVariant/hasProduct
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1078 · Valid Accounts T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-32272
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Craft Commerce: Blind SQL Injection via hasVariant/hasProduct
Source: NVD (National Vulnerability Database)
Vulnerability Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Craft Commerce SQL注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Craft Commerce是Craft CMS开源的一个电子商务平台。 Craft Commerce 5.5.4及之前版本存在SQL注入漏洞,该漏洞源于ProductQuery::hasVariant和VariantQuery::hasProduct属性绕过输入清理阻止列表,可能导致SQL注入攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-32272
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-32272
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-32272 (1)
Same Patch Batch · craftcms · 2026-04-13 · 3 CVEs total
| CVE-2026-32270 | Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak | |
| CVE-2026-32271 | Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget |
IV. Related Vulnerabilities
Same product: commerce
- CVE-2026-32271
Craft Commerce: SQL Injection can lead to Remote Code Execut - CVE-2026-32270
Craft Commerce: Unauthenticated information disclosure in `c - CVE-2026-31867
Craft Commerce has a Potential IDOR in Commerce carts - CVE-2026-29177
Craft Commerce has Stored XSS in Craft Commerce Order Detail - CVE-2026-29176
Craft Commerce has Stored XSS in Inventory Location Name
Same vendor: craftcms
- CVE-2026-44011
Craft CMS: Potential authenticated Remote Code Execution via - CVE-2026-44012
Craft CMS: Missing Volume Permission Check in AssetsControll - CVE-2026-44010
Craft CMS: Missing Authorization in GraphQL Address Resolver - CVE-2026-41130
Craft CMS has a host header injection leading to SSRF via re - CVE-2026-41129
Craft CMS has Server-Side Request Forgery (SSRF) with Asset
Same weakness: CWE-89
- CVE-2018-25352
WordPress Ultimate Form Builder Lite 1.3.7 SQL Injection via - CVE-2018-25351
Joomla! Component EkRishta 2.10 SQL Injection via username - CVE-2018-25348
Joomla! Component Ek Rishta 2.10 SQL Injection via user_deta - CVE-2018-25347
WordPress Contact Form Maker Plugin 1.12.20 SQL Injection - CVE-2018-25346
WordPress Form Maker Plugin 1.12.24 SQL Injection via admin-
V. Comments for CVE-2026-32272
No comments yet