CVE-2026-25495

moderate-risk

Published 2026-02-09

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (7)

Craft Cms

Affected Vendors

Craftcms

References (3)

Patch https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2

Release Notes https://github.com/craftcms/cms/releases/tag/5.8.22

Exploit https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 0/34 · Minimal

Exposure 14/34 · Moderate