CVE-2026-25495 — SQL Injection in Craft CMS

CWE-89 — SQL Injection8 documents5 sources

Severity

8.7HIGHNVD

EPSS

0.0%

top 97.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedFeb 9

Latest updateMar 11

Description

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Packagistcraftcms/cms5.0.0-RC1 — 5.8.22+1

▶NVDcraftcms/craft_cms5.0.1 — 5.9.9+4

▶CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.16.18, >= 5.0.0-RC1, < 5.8.22, >= 5.0.0-RC1, <= 5.9.8+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

CraftCMS's `ElementSearchController` Affected by Blind SQL Injection↗2026-03-11

▶

GHSA

Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`↗2026-02-09

▶

OSV

Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`↗2026-02-09

▶

CVEList

Craft has a SQL Injection in Element Indexes via criteria[orderBy]↗2026-02-09

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25495 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-31858 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶