Platform
php
Component
craft-commerce
Fixed in
4.0.1
5.0.1
CVE-2026-32271 is a SQL Injection vulnerability discovered in Craft Commerce, an ecommerce platform for Craft CMS. This vulnerability allows an authenticated control panel user to potentially achieve remote code execution through a complex exploitation chain involving widget settings and PDO's multi-statement query support. The vulnerability affects versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, but a fix is available in version 4.10.3.
An SQL injection vulnerability has been discovered in the Commerce TotalRevenue widget, affecting versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4. This vulnerability allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object. This could compromise the website's security and allow unauthorized access to sensitive data or execution of commands on the server.
The attack requires an authenticated user in the Craft CMS control panel. The attacker manipulates the TotalRevenue widget's configuration to inject malicious SQL code. This SQL code, when executed by PDO, deserializes a malicious PHP object, enabling arbitrary code execution on the server. The exploitation chain involves crafting a specific widget configuration that, when processed, generates a vulnerable SQL query. Due to the nature of the SQL injection and deserialization capabilities, the impact can be devastating, potentially granting full server control.
Exploit Status
EPSS
0.22% (45% percentile)
CISA SSVC
The recommended solution is to update Craft Commerce to version 4.10.3 or higher. This update corrects the vulnerability by properly sanitizing user input within the TotalRevenue widget. In the meantime, as a temporary measure, restrict control panel access to users with minimal privileges and carefully review any TotalRevenue widget settings for potential anomalies. It's crucial to implement good security practices, such as keeping software updated and using strong passwords, to mitigate the risk of exploitation. Monitoring server logs for suspicious activity can also help detect and respond to potential attacks.
Actualice Craft Commerce a la versión 4.10.3 o superior, o a la versión 5.5.5 o superior. Esta actualización corrige la vulnerabilidad de inyección SQL en el widget TotalRevenue, previniendo la ejecución remota de código.
Vulnerability analysis and critical alerts directly to your inbox.
SQL injection is a security vulnerability that allows attackers to insert malicious SQL code into a database query, potentially allowing them to access confidential data, modify data, or even execute commands on the server.
Version 4.10.3 contains a fix for this specific SQL injection vulnerability. Updating is the most effective way to protect your website.
As a temporary measure, restrict control panel access and review the TotalRevenue widget configuration. Monitor server logs for suspicious activity.
Consult the official Craft Commerce documentation and security advisories for information on other known vulnerabilities and corresponding solutions.
You can find more information about CVE-2026-32271 on vulnerability databases such as the National Vulnerability Database (NVD) and on the Craft CMS website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.