Craft Commerce, an ecommerce platform integrated with Craft CMS, suffers from a critical SQL Injection vulnerability identified as CVE-2026-29174. This vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) within the inventory levels table data endpoint. Specifically, the parameters sort[0][direction] and sort[0][sortField], which control sorting behavior, are directly concatenated into the addOrderBy() SQL clause without any input validation or sanitization. This unsafe coding practice allows an authenticated attacker with permissions to access the Commerce Inventory section to inject malicious SQL payloads. Exploiting this flaw can lead to unauthorized data access, modification, or deletion, and potentially a full database compromise. The vulnerability affects all Craft Commerce versions starting from 5.0.0 up to but not including 5.5.3. The vulnerability was publicly disclosed on March 10, 2026, and has a CVSS 4.0 base score of 8.7, reflecting its high severity. The attack vector is network-based with low attack complexity, requiring only privileges to access the inventory section but no additional user interaction. The vulnerability does not require exploitation of other components and has a high impact on confidentiality, integrity, and availability of the database. No known exploits are currently reported in the wild. The vendor has fixed the issue in version 5.5.3, and users are strongly advised to upgrade to this or later versions.

The impact of CVE-2026-29174 is significant for organizations using vulnerable versions of Craft Commerce. Successful exploitation allows attackers to execute arbitrary SQL commands, which can lead to unauthorized disclosure of sensitive customer and business data, data corruption, or deletion, and potentially full database compromise. This can result in severe operational disruption, financial loss, reputational damage, and regulatory penalties, especially for ecommerce businesses handling payment and personal information. Since the vulnerability requires authentication with access to the Commerce Inventory section, insider threats or compromised credentials increase risk. The high CVSS score reflects the ease of exploitation combined with the broad impact on confidentiality, integrity, and availability. Organizations globally relying on Craft Commerce for their online storefronts are at risk until patched. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future attacks, especially as proof-of-concept code may emerge.

1. Immediate upgrade to Craft Commerce version 5.5.3 or later, where the vulnerability is fixed, is the most effective mitigation. 2. Restrict access to the Commerce Inventory section strictly to trusted and necessary personnel to reduce the attack surface. 3. Implement strong authentication mechanisms, including multi-factor authentication, to prevent unauthorized access to authenticated areas. 4. Monitor logs for unusual or suspicious activity related to inventory sorting parameters or database queries. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the affected parameters. 6. Conduct regular security audits and code reviews to identify and remediate similar unsafe coding practices. 7. Backup databases regularly and ensure backups are secure to enable recovery in case of compromise. 8. Educate developers and administrators about secure coding and the risks of unsanitized input concatenation in SQL queries.