Craft Commerce, an ecommerce platform built on Craft CMS, suffers from an SQL Injection vulnerability identified as CVE-2026-29172. The vulnerability arises in the purchasables table endpoint where the 'sort' parameter is parsed by splitting on the '|' character. The first segment, representing a column name, is directly used as an array key in Yii2's orderBy() query builder method without any whitelist validation. Yii2's query builder does not escape array keys, which allows an authenticated attacker to inject arbitrary SQL code into the ORDER BY clause of the SQL query. This improper neutralization of special elements (CWE-89) can be exploited to manipulate database queries, potentially exposing sensitive data, modifying data, or causing denial of service. The vulnerability affects Craft Commerce versions from 4.0.0 up to but not including 4.10.2, and from 5.0.0 up to but not including 5.5.3. The flaw requires the attacker to have authenticated access but does not require user interaction. The CVSS 4.0 base score is 8.7, reflecting high severity due to network attack vector, low attack complexity, no privileges required beyond authentication, and high impact on confidentiality, integrity, and availability. The issue was publicly disclosed on March 10, 2026, and no known exploits have been reported in the wild. The vendor has addressed the vulnerability in versions 4.10.2 and 5.5.3 by implementing proper validation and escaping mechanisms.

The SQL Injection vulnerability in Craft Commerce can have severe consequences for organizations using affected versions. An authenticated attacker can exploit this flaw to execute arbitrary SQL commands within the ORDER BY clause, potentially leading to unauthorized data disclosure, data manipulation, or deletion. This compromises the confidentiality, integrity, and availability of the ecommerce platform's backend database. Attackers might extract sensitive customer information, payment details, or order histories, leading to privacy violations and regulatory non-compliance. Additionally, malicious SQL commands could disrupt normal operations, causing denial of service or corrupting critical business data. Since Craft Commerce is used globally by online retailers, exploitation could result in significant financial losses, reputational damage, and legal liabilities. The requirement for authentication limits exposure somewhat but does not eliminate risk, especially if credentials are compromised or insider threats exist. The lack of user interaction needed makes automated exploitation feasible once credentials are obtained.

To mitigate CVE-2026-29172, organizations should immediately upgrade Craft Commerce to versions 4.10.2 or 5.5.3 where the vulnerability is patched. If immediate upgrade is not possible, implement strict input validation and sanitization on the 'sort' parameter to enforce a whitelist of allowed column names before passing values to orderBy(). Employ web application firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the ORDER BY clause. Limit and monitor authenticated user privileges to reduce the risk of credential abuse. Conduct regular security audits and penetration testing focusing on injection flaws. Enable detailed logging and alerting on database query anomalies. Educate developers on secure coding practices, especially regarding dynamic query construction and the risks of unsanitized input. Finally, maintain an incident response plan to quickly address any suspected exploitation.