CVE-2026-31858

Name of the Vulnerable Software and Affected Versions Craft versions prior to 5.9.9

Description Craft is a content management system (CMS). The ElementSearchController::actionSearch() API endpoint lacks the unset() protection that was added to ElementIndexesController. This results in a SQL injection issue, specifically affecting parameters like criteria[orderBy]. Any authenticated control panel user can inject arbitrary SQL through criteria[where], criteria[orderBy], or other query properties. This allows for the extraction of the full database contents via boolean-based blind injection.

Recommendations Update to version 5.9.9 to resolve the issue.