CVE-2026-25495

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2	Patch
https://github.com/craftcms/cms/releases/tag/5.8.22	Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj	Exploit Vendor Advisory Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

19 Feb 2026, 19:18

Type	Values Removed	Values Added
CPE		cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
First Time		Craftcms Craftcms craft Cms
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
Summary		(es) Craft es una plataforma para crear experiencias digitales. En las versiones de Craft 4.0.0-RC1 hasta 4.16.17 y 5.0.0-RC1 hasta 5.8.21, el endpoint element-indexes/get-elements es vulnerable a inyección SQL a través del parámetro criteria[orderBy] (cuerpo JSON). La aplicación no sanea esta entrada antes de usarla en la consulta de la base de datos. Un atacante con acceso al Panel de Control puede inyectar SQL arbitrario en la cláusula ORDER BY al omitir viewState[order] (o al establecer ambos con la misma carga útil). Este problema está parcheado en las versiones 4.16.18 y 5.8.22.
References	~~() https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2 -~~	() https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2 - Patch
References	~~() https://github.com/craftcms/cms/releases/tag/5.8.22 -~~	() https://github.com/craftcms/cms/releases/tag/5.8.22 - Release Notes
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj - Exploit, Vendor Advisory, Patch

09 Feb 2026, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 19:18

NVD link : CVE-2026-25495

Mitre link : CVE-2026-25495

CVE.ORG link : CVE-2026-25495

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

8.8 /10