Vulnerability Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | < 4.16.18 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2Patch
- https://github.com/craftcms/cms/releases/tag/5.8.22Release Notes
- https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cjExploitVendor AdvisoryPatch
FAQ
What is CVE-2026-25495?
CVE-2026-25495 is a vulnerability with a CVSS score of 8.8 (HIGH). Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection...
How severe is CVE-2026-25495?
CVE-2026-25495 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25495?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.