Craft has a SQL Injection in Element Indexes via criteria[orderBy]

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.

AI Analysis

SQL Injection vulnerability in Craft's element-indexes/get-elements endpoint via the criteria[orderBy] parameter

Basic Information

ID CVE-2026-25495

Source GitHub_M

Published Feb 9, 2026 at 19:42

Affected Product

Vendor craftcms

Product cms

Version >= 5.0.0-RC1, < 5.8.22

Affected Versions craftcms cms >= 5.0.0-RC1, < 5.8.22
craftcms cms >= 4.0.0-RC1, < 4.16.18

CWE Classification

CWE-89

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Craft CMS

Product Craft

Version 4.0.0-RC1 to 4.16.17, 5.0.0-RC1 to 5.8.21

References

{
    "lastseen": "",
    "description": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.",
    "published": "2026-02-09T19:42:57.778Z",
    "modified": "2026-02-09T19:42:57.778Z",
    "type": "cve",
    "title": "Craft has a SQL Injection in Element Indexes via criteria[orderBy]",
    "source": "GitHub_M",
    "references": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj\nhttps://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2\nhttps://github.com/craftcms/cms/releases/tag/5.8.22",
    "id": "CVE-2026-25495",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "craftcms cms >= 5.0.0-RC1, < 5.8.22\ncraftcms cms >= 4.0.0-RC1, < 4.16.18",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": ">= 5.0.0-RC1, < 5.8.22",
    "vendor": "craftcms",
    "ai_description": "SQL Injection vulnerability in Craft's element-indexes/get-elements endpoint via the criteria[orderBy] parameter",
    "ai_severity": "High",
    "ai_vendor": "Craft CMS",
    "ai_product": "Craft",
    "ai_version": "4.0.0-RC1 to 4.16.17, 5.0.0-RC1 to 5.8.21",
    "ai_score": 8.7
}

Craft has a SQL Injection in Element Indexes via criteria[orderBy]_CVE-2026-25495