CVE-2026-25495
HIGH
GHSA-2453-mppf-46cj
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
Analysis
SQL injection in Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allows authenticated Control Panel users to execute arbitrary SQL queries via the criteria[orderBy] parameter in the element-indexes/get-elements endpoint. The vulnerability stems from insufficient input sanitization in the ORDER BY clause, enabling attackers to manipulate database queries. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Craft CMS and document affected versions; implement WAF rules to block malicious orderBy parameter payloads as interim protection. Within 7 days: Apply vendor patches to all affected instances (upgrade to 4.16.18+ or 5.8.22+) and validate patch deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today