Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
Published: 2026-02-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

Craft CMS contains a flaw in the element-indexes/get-elements endpoint that allows an attacker with Control Panel access to inject arbitrary SQL through the criteria[orderBy] field of a JSON request body. The unsanitized input is incorporated directly into an ORDER BY clause, enabling the attacker to read, modify, or delete data in the underlying database. This is a classic SQL Injection vulnerability described by CWE-89.

Affected Systems

The issue affects Craft CMS versions 4.0.0‑RC1 through 4.16.17 and 5.0.0‑RC1 through 5.8.21. These releases lack input validation for the orderBy parameter. Versions 4.16.18, 5.8.22, and later include a patch that removes the vulnerable code path.

Risk and Exploitability

The CVSS score of 8.7 indicates high potential impact. The EPSS score of <1% implies that known exploitation attempts are extremely rare. The vulnerability is not listed in CISA’s KEV catalog. Successful exploitation requires Control Panel access and the ability to submit a request to element-indexes/get-elements; the attacker can then inject malicious SQL that runs under the database credentials of the application, allowing data exfiltration or alteration.

Generated by OpenCVE AI on April 18, 2026 at 12:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.16.18 or 5.8.22 or later to apply the official fix.
  • Restrict Control Panel access to trusted administrators and enforce least‑privilege policies so that only authorized users can reach the element-indexes/get-elements endpoint.
  • Disable or block the element-indexes/get-elements endpoint for untrusted users or IP addresses if the application allows such configuration.
  • Conduct a review of all database queries in the application to ensure no other input parameters are concatenated without proper sanitization.

Generated by OpenCVE AI on April 18, 2026 at 12:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2453-mppf-46cj Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
History

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 09 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
Title Craft has a SQL Injection in Element Indexes via criteria[orderBy]
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:00:20.118Z

Reserved: 2026-02-02T16:31:35.824Z

Link: CVE-2026-25495

cve-icon Vulnrichment

Updated: 2026-02-10T15:32:11.039Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:58.080

Modified: 2026-02-19T19:18:14.197

Link: CVE-2026-25495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses