Description
Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.
Published: 2026-03-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch Now
AI Analysis

Impact

CraftCMS’s ElementSearchController::actionSearch() endpoint is missing a critical unset() protection that was added to a similar controller, allowing an authenticated control‑panel user to inject arbitrary SQL through criteria[where], criteria[orderBy], or other query properties. The vulnerability enables boolean‑based blind SQL injection that can retrieve the entire database, resulting in a full data compromise. This weakness reflects CWE-89 and carries a CVSS score of 8.7.

Affected Systems

The issue affects CraftCMS distributions listed under the CPEs cpe:2.3:a:craftcms:craft_cms:5.0.0 and cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1, as well as other versions prior to the 5.9.9 release, which contains the proper patch. Any enabled element search endpoint that has not been updated to 5.9.9 or newer is vulnerable.

Risk and Exploitability

The CVSS score indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability requires authentication to the CraftCMS control panel but does not require administrative privileges, making the attack vector accessible to a wide range of users. Although the exploitation complexity is moderate, the potential impact on data confidentiality and integrity is significant. The vulnerability is not listed in CISA’s KEV catalog, indicating it has not yet been widely exploited in the wild.

Generated by OpenCVE AI on March 17, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the CraftCMS update to version 5.9.9 or newer to remove the SQL injection flaw.
  • If an immediate upgrade is not possible, remove or disable all authenticated control panel user accounts with search access until the patch is applied.
  • Monitor database and control‑panel logs for unusual query activity that could indicate an attempt to exploit the blind SQL injection vulnerability.

Generated by OpenCVE AI on March 17, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g7j6-fmwx-7vp8 CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 11 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.
Title CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:01:14.728Z

Reserved: 2026-03-09T19:02:25.011Z

Link: CVE-2026-31858

cve-icon Vulnrichment

Updated: 2026-03-12T14:01:08.639Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:24.527

Modified: 2026-03-17T14:05:38.050

Link: CVE-2026-31858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:13Z

Weaknesses