GHSA-78vr-q6cf-c7p6: Craft Commerce: Partial Payment Amount Without Lower Bound Validation

June 19, 2026

The Order::setPaymentAmount() method accepts any float value without enforcing a minimum positive amount. The PaymentsController casts the user-supplied ‘paymentAmount’ parameter directly to float with no lower-bound check.

References

github.com/advisories/GHSA-78vr-q6cf-c7p6
github.com/craftcms/commerce/commit/9a88392b3074aa132a9455d4f4b582411df52c74
github.com/craftcms/commerce/security/advisories/GHSA-78vr-q6cf-c7p6

Code Behaviors & Features

Detect and mitigate GHSA-78vr-q6cf-c7p6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →