Platform
php
Component
craftcms/commerce
Fixed in
5.0.1
5.6.0
CVE-2026-32272 describes a SQL Injection vulnerability discovered in Craft Commerce. This flaw allows an authenticated control panel user to bypass sanitization measures and inject malicious SQL code. The vulnerability impacts versions of Craft Commerce up to 5.5.4, and a fix is available in version 5.6.0.
An attacker exploiting this vulnerability can leverage boolean-based blind SQL injection to extract sensitive data from the Craft Commerce database. This could include user credentials, order information, product details, and potentially other confidential data stored within the application. While the vulnerability requires authentication, a successful compromise could lead to significant data breaches and reputational damage. The attack vector involves manipulating the hasVariant or hasProduct properties within Craft Commerce queries, bypassing the intended blocklist and directly injecting SQL code into the underlying database queries. This resembles other SQL injection vulnerabilities where attackers craft malicious input to manipulate database queries and gain unauthorized access to data.
CVE-2026-32272 was published on 2026-04-13. Its severity is rated HIGH with a CVSS score of 7.5. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature suggests it could be relatively easy to exploit once a POC is released. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation at this time. Refer to the official Craft CMS advisory for further details.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The primary mitigation for CVE-2026-32272 is to upgrade Craft Commerce to version 5.6.0 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds. These may include restricting access to the control panel, carefully reviewing and validating all user inputs, and implementing a Web Application Firewall (WAF) with rules to detect and block suspicious SQL injection attempts. Monitor Craft Commerce logs for unusual database query patterns that might indicate exploitation. After upgrading, confirm the fix by attempting to reproduce the vulnerability using the documented attack vector and verifying that the injected SQL code is properly sanitized.
Actualice a la versión 5.6.0 o posterior de Craft Commerce para mitigar la vulnerabilidad de inyección SQL ciega. Esta actualización corrige la falta de sanitización en las propiedades hasVariant y hasProduct, previniendo la extracción de datos sensibles de la base de datos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32272 is a SQL Injection vulnerability affecting Craft Commerce versions up to 5.5.4. An authenticated admin can exploit it by manipulating hasVariant or hasProduct queries, potentially extracting sensitive data.
You are affected if you are running Craft Commerce version 5.5.4 or earlier. Upgrade to version 5.6.0 or later to mitigate the risk.
Upgrade Craft Commerce to version 5.6.0 or later. If immediate upgrading is not possible, implement temporary workarounds like restricting access and using a WAF.
While there are no confirmed reports of active exploitation, the vulnerability's nature suggests it could be exploited once a public proof-of-concept is available.
Refer to the official Craft CMS security advisory page for the most up-to-date information and announcements regarding CVE-2026-32272: [https://craftcms.com/security/](https://craftcms.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.