CVE-2026-31858
Published: 11 March 2026
Summary
CVE-2026-31858 is a high-severity SQL Injection (CWE-89) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identifying, prioritizing, and remediating the SQL injection flaw in Craft CMS ElementSearchController by applying the patch to version 5.9.9.
Requires validating user inputs to the actionSearch() endpoint, such as criteria[where] and criteria[orderBy], to block SQL injection attacks.
Enforces limits on input types, sizes, and formats to reject malformed query parameters that enable boolean-based blind SQL injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in publicly accessible Craft CMS control panel endpoint directly enables exploitation of the web application (T1190); blind SQLi payloads allow arbitrary queries against backend database for data collection including credentials (T1213.006).
NVD Description
Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the…
more
fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.
Deeper analysisAI
CVE-2026-31858 is a SQL injection vulnerability in Craft, a content management system (CMS). It affects the ElementSearchController::actionSearch() endpoint, which lacks the unset() protection implemented in ElementIndexesController as part of the fix for CVE-2026-25495. This allows the same injection vectors, such as criteria[orderBy], to be exploited, enabling arbitrary SQL injection through parameters like criteria[where] or other query properties. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-89.
Any authenticated user with access to the Craft control panel—no administrative privileges required—can exploit this vulnerability remotely over the network with low complexity. Attackers can inject malicious SQL payloads to extract the full database contents using boolean-based blind injection techniques, potentially compromising sensitive data such as user credentials, content, or configuration details.
The official mitigation, as detailed in the Craft CMS security advisory (GHSA-g7j6-fmwx-7vp8) and corresponding GitHub commit (e1a3dd669ae31491b86ad996e88a1d30d33d9a42), is to update to the patched version 5.9.9, which applies the necessary protections to the ElementSearchController.
Details
- CWE(s)