CVE-2026-31858
Brak ochrony w ElementSearchController w Craft CMS umożliwia uwierzytelnionym użytkownikom wstrzyknięcie SQL, co prowadzi do wycieku danych z bazy.
Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-03-11 18:16:24 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-17 14:05:38 UTC |
- https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42 (security-advisories@github.com) [Patch]
- https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8 (security-advisories@github.com) [Patch, Vendor Advisory]