Cyber Resilience

CVE-2026-31858

High

Published: 11 March 2026

Published
11 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 26.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31858 is a high-severity SQL Injection (CWE-89) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31858 is a SQL injection vulnerability in Craft, a content management system (CMS). It affects the ElementSearchController::actionSearch() endpoint, which lacks the unset() protection implemented in ElementIndexesController as part of the fix for CVE-2026-25495. This allows the same injection vectors, such as criteria[orderBy], to be exploited, enabling arbitrary SQL injection through parameters like criteria[where] or other query properties. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-89.

Any authenticated user with access to the Craft control panel—no administrative privileges required—can exploit this vulnerability remotely over the network with low complexity. Attackers can inject malicious SQL payloads to extract the full database contents using boolean-based blind injection techniques, potentially compromising sensitive data such as user credentials, content, or configuration details.

The official mitigation, as detailed in the Craft CMS security advisory (GHSA-g7j6-fmwx-7vp8) and corresponding GitHub commit (e1a3dd669ae31491b86ad996e88a1d30d33d9a42), is to update to the patched version 5.9.9, which applies the necessary protections to the ElementSearchController.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the…

more

fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in publicly accessible Craft CMS control panel endpoint directly enables exploitation of the web application (T1190); blind SQLi payloads allow arbitrary queries against backend database for data collection including credentials (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25495Same product: Craftcms Craft Cms
CVE-2026-25498Same product: Craftcms Craft Cms
CVE-2025-68455Same product: Craftcms Craft Cms
CVE-2025-23209Same product: Craftcms Craft Cms
CVE-2026-28696Same product: Craftcms Craft Cms
CVE-2026-28695Same product: Craftcms Craft Cms
CVE-2026-31857Same product: Craftcms Craft Cms
CVE-2026-25497Same product: Craftcms Craft Cms
CVE-2026-32267Same product: Craftcms Craft Cms
CVE-2025-68456Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
5.0.0 · 5.0.1 — 5.9.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identifying, prioritizing, and remediating the SQL injection flaw in Craft CMS ElementSearchController by applying the patch to version 5.9.9.

prevent

Requires validating user inputs to the actionSearch() endpoint, such as criteria[where] and criteria[orderBy], to block SQL injection attacks.

prevent

Enforces limits on input types, sizes, and formats to reject malformed query parameters that enable boolean-based blind SQL injection.

References