High severityNVD Advisory· Published Feb 9, 2026· Updated Feb 10, 2026
Craft has a SQL Injection in Element Indexes via criteria[orderBy]
CVE-2026-25495
Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.8.22 | 5.8.22 |
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.16.18 | 4.16.18 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-2453-mppf-46cjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25495ghsaADVISORY
- github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/4.16.18ghsaWEB
- github.com/craftcms/cms/releases/tag/5.8.22ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.