SQL Injection Vulnerability in Craft Platform by Craft CMS
CVE-2026-25495

8.7HIGH

Key Information:

Vendor

Craftcms

Status
Cms
Vendor
CVE Published:
9 February 2026

What is CVE-2026-25495?

The Craft platform is exposed to SQL injection via the element-indexes/get-elements endpoint due to improper input sanitization in versions 4.0.0-RC1 to 4.16.17 and 5.0.0-RC1 to 5.8.21. Attackers with Control Panel access can exploit this flaw by manipulating the criteria[orderBy] parameter in the JSON body, allowing them to inject arbitrary SQL commands into the ORDER BY clause. This vulnerability is addressed in newer versions, specifically 4.16.18 and 5.8.22.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.8.22 < 5.0.0-RC1, 5.8.22

cms >= 4.0.0-RC1, < 4.16.18 < 4.0.0-RC1, 4.16.18

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/96c60d775c644ff0a0...
x_refsource_MISC
https://github.com/craftcms/cms/releases/tag/5.8.22
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.