CVE-2026-31858
Received Received - Intake
SQL Injection in Craft CMS ElementSearchController Allows Data Extraction

Publication date: 2026-03-11

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31858
EUVD
EUVD-2026-11259
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 5.0.1 (inc) to 5.9.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31858 is a high-severity SQL injection vulnerability in the Craft CMS, specifically in the ElementSearchController::actionSearch() endpoint.

The vulnerability exists because this endpoint lacks the unset() protection that was added to a similar controller in a previous advisory, allowing attackers to inject arbitrary SQL commands.

Any authenticated control panel user, without needing admin privileges, can exploit this by injecting SQL through parameters like criteria[where], criteria[orderBy], or other query properties.

This injection enables boolean-based blind SQL injection attacks, allowing extraction of the full database contents.

The issue was fixed by sanitizing the query criteria inputs using a cleansing function to remove unsafe attributes, and the fix was released in version 5.9.9.

Impact Analysis

This vulnerability allows any authenticated control panel user to perform SQL injection attacks, which can lead to unauthorized access to the entire database.

Attackers can extract sensitive data by exploiting boolean-based blind SQL injection, potentially compromising confidential information stored in the CMS.

Since no admin privileges are required, the attack surface is broader, increasing the risk of data breaches and manipulation.

To mitigate this risk, users should update to Craft CMS version 5.9.9 or later, where the vulnerability has been patched.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a blind SQL injection in the ElementSearchController::actionSearch() endpoint of Craft CMS, exploitable by any authenticated control panel user via parameters such as criteria[where] and criteria[orderBy].'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can attempt to test the affected endpoint by sending crafted HTTP requests to the actionSearch() endpoint with SQL injection payloads in the criteria parameters and observe if boolean-based blind SQL injection responses occur.'}, {'type': 'paragraph', 'content': 'Example commands using curl to test for SQL injection might include:'}, {'type': 'list_item', 'content': "curl -X POST -d 'criteria[where]=1=1--' https://your-craftcms-site.com/actions/element-search/search"}, {'type': 'list_item', 'content': "curl -X POST -d 'criteria[orderBy]=id; DROP TABLE users;--' https://your-craftcms-site.com/actions/element-search/search"}, {'type': 'paragraph', 'content': 'Note that these commands should be used carefully in a controlled environment and only on systems you have permission to test. Monitoring logs for unusual query parameters or unexpected database errors related to these criteria parameters can also help detect exploitation attempts.'}] [1, 2]

Mitigation Strategies

The primary and immediate mitigation step is to update Craft CMS to version 5.9.9 or later, where the vulnerability has been fixed by sanitizing the query criteria inputs in the ElementSearchController.

Until the update can be applied, restrict access to the control panel to trusted users only, as any authenticated user can exploit this vulnerability without admin privileges.

Additionally, monitor your system for suspicious activity involving the criteria parameters in requests to the element search endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart