CNNVD-202602-1293 Information

CNNVD ID

CNNVD-202602-1293

Related CVE

CVE-2026-25495

• CNNVD Published: 2026-02-09

Description (Chinese)

Craft CMS是Craft CMS开源的一套内容管理系统（CMS）。 Craft CMS 4.0.0-RC1版本至4.16.17版本和5.0.0-RC1版本至5.8.21版本存在SQL注入漏洞，该漏洞源于criteria[orderBy]参数输入清理不当，可能导致SQL注入攻击。

Description (English)

Craft CMS is an open-source CMS content management system. Craft CMS Versions 4.0.0-RC1 to 4.16.17 and 5.0.0-RC1 to 5.8.21 contain a SQL injection loophole, which stems from the inappropriate clean-up of the criteria [orderBy] parameter, which may result in an SQL injection attack.

Vulnerability Type

SQL注入

Affected Vendor

Craft CMS

Published

2026-02-09

Last Modified

2026-02-24

References

https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2 https://github.com/craftcms/cms/releases/tag/5.8.22 https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj

Patch

https://github.com/craftcms/cms/releases