CVE-2026-31858

UNKNOWN 0.0

CraftCMS's `ElementSearchController` Affected by Blind SQL Injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.

CWE	CWE-89
Vendor	craftcms
Product	cms
Published	Mar 11, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / cms

>= 5.0.0-RC1, <= 5.9.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8 github.com: https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42