CVE-2026-25495 is a SQL Injection vulnerability classified under CWE-89 affecting Craft CMS, a popular platform for building digital experiences. The vulnerability arises from improper neutralization of special elements in the criteria[orderBy] parameter within the element-indexes/get-elements API endpoint. Specifically, the application fails to sanitize or validate this input before incorporating it into the ORDER BY clause of an SQL query. An attacker who has authenticated Control Panel access can manipulate the orderBy parameter by omitting the viewState[order] or setting both parameters to the same malicious payload, enabling injection of arbitrary SQL commands. This can lead to unauthorized data access, data modification, or denial of service by corrupting or disrupting database queries. The vulnerability affects Craft CMS versions from 4.0.0-RC1 up to but not including 4.16.18, and from 5.0.0-RC1 up to but not including 5.8.22. The CVSS 4.0 base score is 8.7, indicating a high severity due to network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the presence of this vulnerability in widely used CMS software poses a significant risk if left unpatched.

For European organizations, the impact of this vulnerability can be substantial. Craft CMS is used by many businesses, agencies, and institutions to manage web content and digital experiences. Exploitation could lead to unauthorized disclosure of sensitive data stored in backend databases, including user information, business data, and configuration details. Attackers could also modify or delete data, leading to integrity loss and potential service outages. Given the vulnerability requires authenticated Control Panel access, insider threats or compromised credentials could be leveraged to exploit this flaw. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), and financial losses. Additionally, disruption of web services could affect customer-facing portals and internal operations. The high CVSS score reflects the critical nature of the impact on confidentiality, integrity, and availability. Organizations relying on Craft CMS for critical digital services in Europe should consider this a priority risk.

European organizations should immediately verify their Craft CMS version and upgrade to 4.16.18 or 5.8.22 or later, where the vulnerability is patched. If immediate upgrading is not feasible, restrict Control Panel access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the criteria[orderBy] parameter. Conduct thorough auditing and monitoring of Control Panel access logs to detect anomalous activities. Additionally, review and harden database permissions to limit the potential damage of SQL injection attacks. Regularly back up databases and test restoration procedures to mitigate the impact of potential data corruption or loss. Finally, educate administrators about the risks of SQL injection and the importance of applying vendor patches promptly.