Improper Validation of Specified Quantity in Input Affecting craftcms/commerce package, versions >=4.0.0, <4.11.2>=5.0.0, <5.6.5


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-CRAFTCMSCOMMERCE-17660441
  • published27 Jun 2026
  • disclosed19 Jun 2026
  • creditUnknown

Introduced: 19 Jun 2026

New CVE NOT AVAILABLE CWE-1284  (opens in a new tab)

How to fix?

Upgrade craftcms/commerce to version 4.11.2, 5.6.5 or higher.

Overview

craftcms/commerce is a Craft Commerce

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the Order::setPaymentAmount process. An attacker can bypass payment validation by submitting a zero or negative value for the paymentAmount parameter, potentially resulting in orders being marked as paid without a valid transaction. This is only exploitable if the store has 'Allow Partial Payment on Checkout' enabled.

CVSS Base Scores

version 4.0
version 3.1