php · craftcms/commerceHeads-up

craftcms/commerce: Unconditional Rate Limiting for Coupon Submissions

The CartController's RateLimiter is only activated when the 'number' parameter is provided, leaving the session-based cart without rate limiting for coupon code

20 Jun 2026Read 1 minSeverity: schedule it

What changed

The CartController's RateLimiter is only activated when the 'number' parameter is provided, leaving the session-based cart without rate limiting for coupon code submissions.

Who it affects

All Craft Commerce installations using coupon codes on session-based carts.

What to do today

Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · craftcms/commerce

craftcms/commerce: Unconditional Rate Limiting for Coupon Submissions

What changed

Who it affects

What to do today

More on craftcms/commerce

jleehr/canto-saas-api: Unencoded path variables in Request::buildRequestUrl()

jleehr/canto-saas-api: OAuth2 token request now uses form-encoded POST body, exception messages sanitized