CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
Description
Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS 5.9.8 and earlier have a SQL injection in ElementSearchController::actionSearch() via unvalidated criteria parameters, allowing authenticated users to dump the database.
Root
Cause
The ElementSearchController::actionSearch() endpoint in Craft CMS was not protected by the unset() fix applied to ElementIndexesController for CVE-2026-25495. This leaves it vulnerable to SQL injection through the same attack vector: unvalidated criteria[orderBy], criteria[where], and other query properties. [1][2]
Exploitation
An authenticated control panel user (no administrative privileges required) can craft a POST request to the /actions/element-search/search endpoint. By manipulating the JSON body parameters such as criteria[orderBy] or criteria[where], the attacker can inject arbitrary SQL into the database query. This is a blind SQL injection that can be exploited character-by-character using boolean-based techniques or time-based delays. [1][2]
Impact
Successful exploitation allows the attacker to extract the entire contents of the database, including sensitive data such as user credentials, site content, and configuration. The vulnerability can also be used to modify or destroy data, including dropping tables or altering schemas. [2]
Mitigation
Craft CMS released a patched version 5.9.9 that fixes this vulnerability by applying the same unset() protection to the search controller. Users are advised to update immediately. The commit that resolves the issue is referenced in the official changelog. [1][4]
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.9.9 | 5.9.9 |
Affected products
1Patches
1e1a3dd669ae3Fixed GHSA-g7j6-fmwx-7vp8
2 files changed · +5 −0
CHANGELOG.md+1 −0 modified@@ -9,6 +9,7 @@ - Fixed an error that could occur when editing an element with a Table field. ([#18408](https://github.com/craftcms/cms/pull/18408)) - Fixed an error that occurred when editing a Table field with no default rows. ([#18407](https://github.com/craftcms/cms/issues/18407)) - Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) RCE vulnerability. (GHSA-fp5j-j7j4-mcxc) +- Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SQL injection vulnerability. (GHSA-g7j6-fmwx-7vp8) ## 5.9.8 - 2026-02-10
src/controllers/ElementSearchController.php+4 −0 modified@@ -14,6 +14,7 @@ use craft\errors\InvalidTypeException; use craft\helpers\Component; use craft\helpers\Cp; +use craft\helpers\ElementHelper; use craft\helpers\Search; use craft\web\Controller; use yii\web\BadRequestHttpException; @@ -59,6 +60,9 @@ public function actionSearch(): Response ->limit(5); if ($criteria) { + // Remove unsupported criteria attributes + $criteria = ElementHelper::cleanseQueryCriteria($criteria); + Craft::configure($query, Component::cleanseConfig($criteria)); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g7j6-fmwx-7vp8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31858ghsaADVISORY
- github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cjghsaWEB
- github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.