[LOW] Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments

PKSA-tnb8-k5sw-yxmk CVE-2026-32270 GHSA-3vxg-x5f8-f5qf

Affected version: >=4.0.0,<=4.10.2|>=5.0.0,<=5.5.4

Reported by:
GitHub

[HIGH] Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget

PKSA-chpm-5f12-rdnt CVE-2026-32271 GHSA-875v-7m49-8x88

Affected version: >=5.0.0,<=5.5.4|>=4.0.0,<=4.10.2

Reported by:
GitHub

[HIGH] Craft Commerce hasVariant/hasProduct Blind SQL Injection

PKSA-nhg1-858f-sgm2 CVE-2026-32272 GHSA-r54v-qq87-px5r

Affected version: >=5.0.0,<5.6.0

Reported by:
GitHub

[MEDIUM] Craft Commerce: Potential IDOR in Commerce carts

PKSA-c2xz-ckr6-6mky CVE-2026-31867 GHSA-vff3-pqq8-4cpq

Affected version: >=4.0.0,<4.11.0|>=5.0.0,<5.6.0

Reported by:
GitHub