CVE-2026-32271
Received Received - Intake
SQL Injection in Craft Commerce Widget Enables Remote Code Execution

Publication date: 2026-04-13

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32271
EUVD
EUVD-2026-22075
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
craftcms craft_commerce From 4.0.0 (inc) to 4.10.2 (inc)
craftcms craft_commerce From 5.0.0 (inc) to 5.5.4 (inc)
craftcms craft_commerce 4.10.3
craftcms craft_commerce 5.5.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Craft Commerce versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, specifically in the Commerce TotalRevenue widget. It is an SQL injection vulnerability that allows any authenticated control panel user to execute remote code on the server.

The attack works by exploiting unsanitized widget settings that are interpolated into SQL expressions. Because PDO's default multi-statement query support is enabled, an attacker can inject a maliciously serialized PHP object into the queue table.

When the queue consumer processes this injected job, an unrestricted unserialize() call in yii2-queue triggers a gadget chain in GuzzleHttp's FileCookieJar. This chain's destructor method writes a PHP webshell to the server's webroot.

The entire exploitation requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user. Queue processing is triggered via an unauthenticated endpoint.

This vulnerability has been fixed in versions 4.10.3 and 5.5.5.

Impact Analysis

This vulnerability can have severe impacts including allowing an attacker to execute arbitrary commands on the server hosting the Craft Commerce platform.

Since the exploit results in remote code execution with the privileges of the PHP process user, an attacker could potentially take full control of the server environment, access sensitive data, modify or delete files, and deploy malicious payloads such as webshells.

The attack requires only an authenticated control panel user and no administrative privileges, making it easier for attackers with limited access to escalate their control.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Craft Commerce to version 4.10.3 or later, or 5.5.5 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart