Craft Commerce’s ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the unset() blocklist added to ElementIndexesController in GHSA-2453-mppf-46cj.
The blocklist only strips top-level Yii2 Query properties (where, orderBy, etc.), but hasVariant and hasProduct pass
through untouched. Internally, these properties call Craft::configure() on a subquery without sanitization, re-introducing SQL injection via criteria[hasVariant][where]=INJECTED_SQL.
An authenticated control panel user can perform boolean-based blind SQL injection through the patched ElementIndexesController and extract arbitrary database contents.
5.6.0Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N