Cyber Resilience

CVE-2026-25495

HighPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 39.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25495 is a high-severity SQL Injection (CWE-89) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25495 is a SQL injection vulnerability (CWE-89) in Craft, a platform for creating digital experiences. The flaw affects the element-indexes/get-elements endpoint, where the application fails to sanitize the criteria[orderBy] parameter from the JSON body before incorporating it into a database query, specifically the ORDER BY clause. Vulnerable versions include Craft 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers with Control Panel access can exploit the vulnerability by injecting arbitrary SQL payloads into the criteria[orderBy] parameter, either by omitting the viewState[order] parameter or setting both to the same payload. This allows execution of unauthorized SQL queries via the ORDER BY clause, enabling data exfiltration, modification, or denial of service, aligning with the high confidentiality, integrity, and availability impacts in the CVSS score.

Craft has addressed the vulnerability in versions 4.16.18 and 5.8.22. Administrators should upgrade to these patched releases immediately. Additional details are available in the GitHub security advisory (https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj), the fixing commit (https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2), and the 5.8.22 release notes (https://github.com/craftcms/cms/releases/tag/5.8.22).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before…

more

using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in Craft CMS web application endpoint directly enables T1190 Exploit Public-Facing Application (authenticated Control Panel access with AV:N vector allows arbitrary SQL for exfil/modification/DoS).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31858Same product: Craftcms Craft Cms
CVE-2026-25498Same product: Craftcms Craft Cms
CVE-2025-68455Same product: Craftcms Craft Cms
CVE-2025-23209Same product: Craftcms Craft Cms
CVE-2026-28696Same product: Craftcms Craft Cms
CVE-2026-28695Same product: Craftcms Craft Cms
CVE-2026-31857Same product: Craftcms Craft Cms
CVE-2026-25497Same product: Craftcms Craft Cms
CVE-2026-32267Same product: Craftcms Craft Cms
CVE-2025-68456Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
4.0.0, 5.0.0 · 4.0.0 — 4.16.18 · 5.0.0 — 5.8.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating and sanitizing unsanitized inputs like the criteria[orderBy] parameter before incorporation into database queries.

prevent

Addresses the vulnerability by requiring timely remediation through patching to fixed versions 4.16.18 or 5.8.22.

detect

Identifies SQL injection flaws like CVE-2026-25495 via regular vulnerability scanning of the application.

References