CVE-2026-25495

Name of the Vulnerable Software and Affected Versions Craft versions 4.0.0-RC1 through 4.16.17 Craft versions 5.0.0-RC1 through 5.8.21

Description Craft is a platform for creating digital experiences. The element-indexes/get-elements API endpoint is susceptible to SQL Injection via the criteria[orderBy] parameter within the JSON body. The application does not properly sanitize input received through this parameter before utilizing it in database queries. An authenticated attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] or setting both to the same payload.

Recommendations Update to Craft version 4.16.18 or later. Update to Craft version 5.8.22 or later.