CVE-2026-25495
📋 TL;DR
This CVE describes a SQL injection vulnerability in Craft CMS affecting the element-indexes/get-elements endpoint. Attackers with Control Panel access can inject arbitrary SQL via the criteria[orderBy] parameter, potentially accessing or manipulating database content. The vulnerability affects Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, modification, or deletion; potential privilege escalation to full system access if database permissions allow.
Likely Case
Unauthorized data access and extraction from the Craft CMS database, potentially exposing sensitive user information, content, or configuration data.
If Mitigated
Limited impact with proper input validation and database permission restrictions, potentially only allowing data viewing without modification.
🎯 Exploit Status
Exploitation requires authenticated access to the Control Panel; SQL injection in ORDER BY clause is well-documented attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.16.18 and 5.8.22
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj
Restart Required: No
Instructions:
1. Update Craft CMS to version 4.16.18 or 5.8.22 or later. 2. Run composer update craftcms/cms. 3. Clear caches and verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement custom validation to restrict allowed values for criteria[orderBy] parameter
Implement custom validation in application code to sanitize orderBy input
Access Restriction
allRestrict Control Panel access to trusted users only
Implement IP whitelisting for Control Panel access
Enforce strong authentication requirements
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns in POST requests
- Restrict database user permissions to read-only for application accounts
🔍 How to Verify
Check if Vulnerable:
Check Craft CMS version via admin panel or composer.json; versions between 4.0.0-RC1-4.16.17 or 5.0.0-RC1-5.8.21 are vulnerable.Check Version:
php craft --version or check composer.lock for craftcms/cms versionVerify Fix Applied:
Confirm version is 4.16.18+ or 5.8.22+; test endpoint with malicious orderBy payload to ensure proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts to Control Panel
- POST requests to /element-indexes/get-elements with unusual orderBy parameters
Network Indicators:
- Unusual database traffic patterns from web server
- SQL error messages in HTTP responses
SIEM Query:
source="web_logs" AND uri="/element-indexes/get-elements" AND (body CONTAINS "UNION" OR body CONTAINS "SELECT" OR body CONTAINS "--" OR body CONTAINS ";")