{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31858", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T19:02:25.011Z", "datePublished": "2026-03-11T17:35:07.438Z", "dateUpdated": "2026-03-12T14:01:14.728Z"}, "containers": {"cna": {"title": "CraftCMS's `ElementSearchController` Affected by Blind SQL Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8"}, {"name": "https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.0.0-RC1, <= 5.9.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:35:07.438Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue."}], "source": {"advisory": "GHSA-g7j6-fmwx-7vp8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:01:02.909743Z", "id": "CVE-2026-31858", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:01:14.728Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31858", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T14:01:02.909743Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:01:08.639Z"}}], "cna": {"title": "CraftCMS's `ElementSearchController` Affected by Blind SQL Injection", "source": {"advisory": "GHSA-g7j6-fmwx-7vp8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.0.0-RC1, <= 5.9.8"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42", "name": "https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:35:07.438Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31858", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:01:14.728Z", "dateReserved": "2026-03-09T19:02:25.011Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T17:35:07.438Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C927EB8-ADF2-4A0A-ADA9-8B6C8230D114", "versionEndExcluding": "5.9.9", "versionStartIncluding": "5.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenido (CMS). El punto final ElementSearchController::actionSearch() carece de la protecci\u00f3n unset() que se a\u00f1adi\u00f3 a ElementIndexesController en CVE-2026-25495. Exactamente la misma vulnerabilidad de inyecci\u00f3n SQL (incluyendo criteria[orderBy], el vector de aviso original) funciona en este controlador porque la soluci\u00f3n nunca se le aplic\u00f3. Cualquier usuario autenticado del panel de control (no se requiere administrador) puede inyectar SQL arbitrario a trav\u00e9s de criteria[where], criteria[orderBy], u otras propiedades de consulta, y extraer el contenido completo de la base de datos a trav\u00e9s de inyecci\u00f3n ciega basada en booleanos. Los usuarios deben actualizar a la versi\u00f3n 5.9.9 parcheada para mitigar el problema."}], "id": "CVE-2026-31858", "lastModified": "2026-03-17T14:05:38.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T18:16:24.527", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.9.8]"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-03-17T17:09:28.975079+00:00", "value": {"mitigation_remediation": ["Apply the CraftCMS update to version 5.9.9 or newer to remove the SQL injection flaw.", "If an immediate upgrade is not possible, remove or disable all authenticated control panel user accounts with search access until the patch is applied.", "Monitor database and control\u2011panel logs for unusual query activity that could indicate an attempt to exploit the blind SQL injection vulnerability."], "summary": {"action": "Patch Now", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The issue affects CraftCMS distributions listed under the CPEs cpe:2.3:a:craftcms:craft_cms:5.0.0 and cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1, as well as other versions prior to the 5.9.9 release, which contains the proper patch. Any enabled element search endpoint that has not been updated to 5.9.9 or newer is vulnerable.", "description_and_impact": "CraftCMS\u2019s ElementSearchController::actionSearch() endpoint is missing a critical unset() protection that was added to a similar controller, allowing an authenticated control\u2011panel user to inject arbitrary SQL through criteria[where], criteria[orderBy], or other query properties. The vulnerability enables boolean\u2011based blind SQL injection that can retrieve the entire database, resulting in a full data compromise. This weakness reflects CWE-89 and carries a CVSS score of 8.7.", "risk_and_exploitability": "The CVSS score indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability requires authentication to the CraftCMS control panel but does not require administrative privileges, making the attack vector accessible to a wide range of users. Although the exploitation complexity is moderate, the potential impact on data confidentiality and integrity is significant. The vulnerability is not listed in CISA\u2019s KEV catalog, indicating it has not yet been widely exploited in the wild."}}}}, "created": "2026-03-12T09:57:35.663871+00:00", "updated": "2026-03-20T15:30:13.046954+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}