CVE-2026-25495

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25495

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

C

raft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.

References
Link Resource
https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2 Patch
https://github.com/craftcms/cms/releases/tag/5.8.22 Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj Exploit Vendor Advisory Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
History

19 Feb 2026, 19:18

Type Values Removed Values Added
First Time Craftcms
Craftcms craft Cms
Summary
  • (es) Craft es una plataforma para crear experiencias digitales. En las versiones de Craft 4.0.0-RC1 hasta 4.16.17 y 5.0.0-RC1 hasta 5.8.21, el endpoint element-indexes/get-elements es vulnerable a inyección SQL a través del parámetro criteria[orderBy] (cuerpo JSON). La aplicación no sanea esta entrada antes de usarla en la consulta de la base de datos. Un atacante con acceso al Panel de Control puede inyectar SQL arbitrario en la cláusula ORDER BY al omitir viewState[order] (o al establecer ambos con la misma carga útil). Este problema está parcheado en las versiones 4.16.18 y 5.8.22.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
References () https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2 - () https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2 - Patch
References () https://github.com/craftcms/cms/releases/tag/5.8.22 - () https://github.com/craftcms/cms/releases/tag/5.8.22 - Release Notes
References () https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj - () https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj - Exploit, Vendor Advisory, Patch

09 Feb 2026, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 19:18

NVD link : CVE-2026-25495

Mitre link : CVE-2026-25495

CVE.ORG link : CVE-2026-25495

JSON object : View

Products Affected

craftcms

CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')