Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Craft CMS Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2026-25495 - Vulnerability Database
Craft CMS

Craft CMS Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2026-25495

High
Reference: CVE-2026-25495
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-25495
Title: Craft CMS Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability
Overview:

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteriaorderBy parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewStateorder (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.