HIGHCVE-2026-25495Published 2026-02-09Modified 2026-02-10CNA GitHub_M

CVE-2026-25495: Craft has a SQL Injection in Element Indexes via criteria[orderBy]

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

craftcms / cms
>= 5.0.0-RC1, < 5.8.22 · >= 4.0.0-RC1, < 4.16.18

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj
https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2
https://github.com/craftcms/cms/releases/tag/5.8.22

Metrics