CVE-2026-32272: Craft Commerce hasVariant/hasProduct Blind SQL Injection
- Full database read access via blind SQL injection
- Privilege escalation via security key extraction → forged admin sessions
References
- github.com/advisories/GHSA-2453-mppf-46cj
- github.com/advisories/GHSA-r54v-qq87-px5r
- github.com/craftcms/commerce
- github.com/craftcms/commerce/pull/4232
- github.com/craftcms/commerce/releases/tag/5.6.0
- github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r
- nvd.nist.gov/vuln/detail/CVE-2026-32272
Code Behaviors & Features
Detect and mitigate CVE-2026-32272 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →