CVE-2026-31867

MEDIUM EPSS 20.1%
Published Mar 11, 20263mo ago · Modified Jun 17, 20261w ago
6.3 CVSS 4.0
Medium
Find Similar
Published Mar 11, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
20.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-639

Affected Products 2

VendorProductVersionRange
craftcmscraft_commerce*≥4.0.0  –  <4.11.0
craftcmscraft_commerce*≥5.0.0  –  <5.6.0

References 2

  • github.com https://github.com/craftcms/commerce/pull/4207
    Issue TrackingPatch
  • github.com https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq
    ExploitPatchVendor Advisory

Remediation

  • github.com https://github.com/craftcms/commerce/pull/4207
    Issue TrackingPatch
  • github.com https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq
    ExploitPatchVendor Advisory