Vulnerability DatabaseCVE-2026-55795
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-55795
Published:June 19, 2026
Updated:June 21, 2026
Summary The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided. Details When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes. Vulnerable Code <img width="864" height="90" alt="resim" src="https://github.com/user-attachments/assets/a5197f10-f1fd-4331-93f9-9479d0ceebba" /> <img width="881" height="272" alt="resim" src="https://github.com/user-attachments/assets/d9db963f-5d1f-4b00-a4b4-5f2dfe2b71dd" /><img width="861" height="271" alt="resim" src="https://github.com/user-attachments/assets/f7842493-3bc0-4e99-956c-7266bab15703" />PoC Complete instructions, including specific configuration details, to reproduce the vulnerability. <img width="909" height="171" alt="resim" src="https://github.com/user-attachments/assets/cfc8c994-5e0c-48de-b728-464029beba0e" />Impact An attacker can enumerate all coupon codes through automated requests. Remediation Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.
Affected Packages
https://github.com/craftcms/commerce.git (GITHUB):
Affected version(s) >=4.0.0 <4.11.2
Fix Suggestion:
Update to version 4.11.2
https://github.com/craftcms/commerce.git (GITHUB):
Affected version(s) >=5.0.0 <5.6.5
Fix Suggestion:
Update to version 5.6.5
craftcms/commerce (PHP):
Affected version(s) >=4.0.0 <4.11.2
Fix Suggestion:
Update to version 4.11.2
craftcms/commerce (PHP):
Affected version(s) >=5.0.0 <5.6.5
Fix Suggestion:
Update to version 5.6.5
Related Resources (3)
https://github.com/craftcms/commerce
https://github.com/craftcms/commerce/commit/df22c4f9c4ea7fb7857d833f755e49ea6f9f5bb5
https://github.com/craftcms/commerce/security/advisories/GHSA-h5gm-x9wr-vhcm
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Improper Restriction of Excessive Authentication Attempts
CWE-307