SQL injection chain enables control-panel RCE in Craft Commerce
TL;DR — A Craft Commerce SQL injection in the TotalRevenue widget can be chained into remote code execution by a low-privileged control panel user via multi-statement SQL and unsafe queue deserialization.
What happened
Craft Commerce is an ecommerce platform for Craft CMS. CVE-2026-32271 describes a SQL injection vulnerability in the Commerce TotalRevenue widget that can allow any authenticated control panel user to reach remote code execution via a multi-step exploitation chain.
Per the CVE record, exploitation starts with unsanitized widget settings being interpolated into SQL expressions. The chain then uses PDO’s default multi-statement query support to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, an unrestricted unserialize() in yii2-queue instantiates a Guzzle FileCookieJar gadget chain, whose __destruct() writes a PHP webshell to the server’s webroot.
Notably, the CVE record states the full chain requires only three HTTP requests, no administrative privileges, and queue processing can be triggered via an unauthenticated endpoint. This is a high-value pattern: “SQLi → deserialization gadget chain → file write → RCE” turns a data-layer bug into full application takeover using common PHP ecosystem behaviors.
Who is impacted
- Projects running the Composer package
craftcms/commercein affected 4.x or 5.x release lines. - Environments where non-admin users have authenticated control panel access (since the CVE states any authenticated control panel user can exploit the chain).
| Package | Affected versions (CVE record) | Fixed versions (CVE record) |
|---|---|---|
craftcms/commerce | >= 4.0.0, < 4.10.3 | 4.10.3 |
craftcms/commerce | >= 5.0.0, < 5.5.5 | 5.5.5 |
| Item | Source value |
|---|---|
| Weakness | CWE-89 SQL Injection |
| Severity | CVSS v4.0 7.7 (High) |
| CVSS vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
What to do now
- Follow vendor remediation guidance and apply a release that includes the fix.
"This issue has been fixed in versions 4.10.3 and 5.5.5."
- Inventory where
craftcms/commerceis deployed (Composer lockfiles, build artifacts, container images) and prioritize upgrades for any internet- or partner-reachable deployment. - Treat this as an app-level compromise risk (not just data exposure): review which users have control panel access, and validate that the least-privilege model matches current reality.
- If compromise is suspected, investigate for indicators consistent with the described chain (unexpected queue jobs and unauthorized file creation in web-accessible paths), and rotate credentials reachable by the affected service.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.