9 matches found
CVE-2026-31858
Craft is a content management system CMS. The ElementSearchController::actionSearch endpoint is missing the unset protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability including criteriaorderBy, the original advisory vector works on th...
CVE-2026-31858
CraftCMS is affected by a blind SQL injection in ElementSearchController::actionSearch(), where unset() protection added to ElementIndexesController in CVE-2026-25495 was not applied. This allows any authenticated control panel user to inject arbitrary SQL via criteria[where], criteria[orderBy], ...
CVE-2026-31858 CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
Craft is a content management system CMS. The ElementSearchController::actionSearch endpoint is missing the unset protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability including criteriaorderBy, the original advisory vector works on th...
CVE-2026-31858 CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
Craft is a content management system CMS. The ElementSearchController::actionSearch endpoint is missing the unset protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability including criteriaorderBy, the original advisory vector works on th...
CVE-2026-31858 CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
Craft is a content management system CMS. The ElementSearchController::actionSearch endpoint is missing the unset protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability including criteriaorderBy, the original advisory vector works on th...
CVE-2026-31858
Craft is a content management system CMS. The ElementSearchController::actionSearch endpoint is missing the unset protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability including criteriaorderBy, the original advisory vector works on th...
SQL Injection
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to SQL Injection via the actionSearch process in ElementSearchController. An attacker can execute arbitrary SQL commands and extract database contents by injecting malicious input into...
EUVD-2026-11259
CraftCMS's ElementSearchController Affected by Blind SQL Injection...
PT-2026-24686
Craft is a content management system CMS. The ElementSearchController::actionSearch endpoint is missing the unset protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability including criteriaorderBy, the original advisory vector works on th...