cbcvebase.
CVE-2026-25495
published 2026-02-09

CVE-2026-25495: Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.50%
39.1th percentile
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.

Affected

8 ranges
VendorProductVersion rangeFixed in
craftcmscms
craftcmscms>= 4.0.0-RC1 < 4.16.184.16.18
craftcmscms>= 5.0.0-RC1 < 5.8.225.8.22
craftcmscraft_cms< 4.16.184.16.18
craftcmscraft_cms< 5.8.225.8.22
craftcmscraft_cms
craftcmscraft_cms
craftcmscraft_cms>= 5.0.1 < 5.9.95.9.9

Detection & IOCsextracted from sources · hover to see the quote

urlelement-indexes/get-elements
othercriteria[orderBy]
  • Monitor POST requests to the `element-indexes/get-elements` endpoint for JSON bodies containing a `criteria[orderBy]` parameter, especially those omitting `viewState[order]` or setting both to the same value — indicative of ORDER BY SQL injection attempts.
  • The same SQL injection vector (`criteria[orderBy]`) also applies to the `ElementSearchController::actionSearch()` endpoint (CVE-2026-31858), which did not receive the fix applied to ElementIndexesController — monitor both endpoints.
  • Watch for boolean-based blind SQL injection patterns in `criteria[where]`, `criteria[orderBy]`, or other query properties submitted to Craft CMS Control Panel endpoints by any authenticated user.
  • ·Exploitation requires an authenticated Control Panel user — not unauthenticated. Scope detection rules accordingly to authenticated sessions targeting the affected endpoints.
  • ·The related bypass (CVE-2026-31858) lowers the privilege bar further — no admin role required, only any authenticated Control Panel user.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.