6 matches found
SQL Injection
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to SQL Injection via the actionSearch process in ElementSearchController. An attacker can execute arbitrary SQL commands and extract database contents by injecting malicious input into...
CVE-2026-25495
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteriaorderBy parameter JSON body. The application fails to sanitize this input before...
SQL Injection
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to SQL Injection via the criteriaorderBy parameter in the JSON body provided to the element-indexes/get-elements endpoint. A user with Control Panel permission can execute SQL commands by...
CVE-2026-25495 Craft has a SQL Injection in Element Indexes via criteria[orderBy]
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteriaorderBy parameter JSON body. The application fails to sanitize this input before...
PT-2026-7145
Name of the Vulnerable Software and Affected Versions Craft versions 4.0.0-RC1 through 4.16.17 Craft versions 5.0.0-RC1 through 5.8.21 Description Craft is a platform for creating digital experiences. The element-indexes/get-elements API endpoint is susceptible to SQL Injection via the...
Craft CMS SQL注入漏洞
Craft CMS is an open-source content management system developed by Craft CMS. Versions 4.0.0-RC1 to 4.16.17, and 5.0.0-RC1 to 5.8.21 of Craft CMS have SQL injection vulnerabilities. These vulnerabilities stem from improper cleaning of the criteriaorderBy parameter input, which may lead to SQL...