CVE-2026-32271: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in craftcms commerce
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.
AI Analysis
Technical Summary
CVE-2026-32271 is an SQL injection vulnerability in Craft Commerce's TotalRevenue widget affecting versions 4.0.0 to 4.10.2 and 5.0.0 to 5.5.4. The vulnerability arises from unsanitized widget settings interpolated into SQL expressions, combined with PDO's multi-statement query support, enabling injection of a malicious serialized PHP object into the queue table. When the queue consumer processes this injected job, the unserialize() call in yii2-queue triggers a GuzzleHttp FileCookieJar gadget chain, whose destructor writes a PHP webshell to the server webroot. Exploitation requires only authenticated control panel access (no admin privileges) and three HTTP requests, with queue processing triggered via an unauthenticated endpoint, leading to remote code execution as the PHP process user. The issue is resolved in Craft Commerce versions 4.10.3 and 5.5.5.
Potential Impact
Successful exploitation results in remote code execution on the server with the privileges of the PHP process user. This allows attackers with low-level authenticated access to deploy a PHP webshell, potentially leading to full system compromise. The vulnerability does not require administrative privileges and can be triggered with minimal requests, increasing its severity.
Mitigation Recommendations
This vulnerability is fixed in Craft Commerce versions 4.10.3 and 5.5.5. Users should upgrade to these or later versions to remediate the issue. No vendor advisory content was provided to indicate alternative mitigations or temporary fixes. Until patched, restrict authenticated control panel access to trusted users only and monitor for suspicious queue processing activity. Patch status is confirmed by the version ranges fixed; no cloud service remediation applies.
CVE-2026-32271: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in craftcms commerce
Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-32271 is an SQL injection vulnerability in Craft Commerce's TotalRevenue widget affecting versions 4.0.0 to 4.10.2 and 5.0.0 to 5.5.4. The vulnerability arises from unsanitized widget settings interpolated into SQL expressions, combined with PDO's multi-statement query support, enabling injection of a malicious serialized PHP object into the queue table. When the queue consumer processes this injected job, the unserialize() call in yii2-queue triggers a GuzzleHttp FileCookieJar gadget chain, whose destructor writes a PHP webshell to the server webroot. Exploitation requires only authenticated control panel access (no admin privileges) and three HTTP requests, with queue processing triggered via an unauthenticated endpoint, leading to remote code execution as the PHP process user. The issue is resolved in Craft Commerce versions 4.10.3 and 5.5.5.
Potential Impact
Successful exploitation results in remote code execution on the server with the privileges of the PHP process user. This allows attackers with low-level authenticated access to deploy a PHP webshell, potentially leading to full system compromise. The vulnerability does not require administrative privileges and can be triggered with minimal requests, increasing its severity.
Mitigation Recommendations
This vulnerability is fixed in Craft Commerce versions 4.10.3 and 5.5.5. Users should upgrade to these or later versions to remediate the issue. No vendor advisory content was provided to indicate alternative mitigations or temporary fixes. Until patched, restrict authenticated control panel access to trusted users only and monitor for suspicious queue processing activity. Patch status is confirmed by the version ranges fixed; no cloud service remediation applies.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-11T15:05:48.400Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd563d82d89c981f59ffd3
Added to database: 4/13/2026, 8:46:53 PM
Last enriched: 4/13/2026, 9:01:56 PM
Last updated: 4/15/2026, 1:16:28 PM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.