← Back to CVEs
CVE-2026-25495
HIGH8.8
Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
CVE Details
CVSS v3.1 Score8.8
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published2/9/2026
Last Modified2/19/2026
Sourcenvd
Honeypot Sightings0
Affected Products
craftcms:craft_cms
Weaknesses (CWE)
CWE-89
References
https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2(security-advisories@github.com)
https://github.com/craftcms/cms/releases/tag/5.8.22(security-advisories@github.com)
https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.