CVE-2026-31858 is an SQL injection vulnerability classified under CWE-89, found in the Craft CMS content management system. The vulnerability exists in the ElementSearchController::actionSearch() endpoint, which fails to implement the unset() protection that was previously applied to the ElementIndexesController in an earlier vulnerability fix (CVE-2026-25495). This omission allows authenticated users with control panel access—without requiring administrative privileges—to inject malicious SQL code through parameters such as criteria[where], criteria[orderBy], and other query properties. The injection enables attackers to perform boolean-based blind SQL injection attacks, allowing them to extract sensitive data from the backend database. The affected versions range from 5.0.0-RC1 through 5.9.8, with the vulnerability patched in version 5.9.9. The CVSS v4.0 score is 8.7 (high), reflecting the vulnerability's network attack vector, low complexity, no required privileges beyond authentication, and no user interaction. The impact on confidentiality, integrity, and availability is high, as attackers can access and manipulate database contents. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to organizations using vulnerable Craft CMS versions.

The SQL injection vulnerability allows attackers to extract, manipulate, or corrupt sensitive data stored in the Craft CMS database. Since the vulnerability can be exploited by any authenticated control panel user without admin privileges, insider threats or compromised low-privilege accounts can lead to full database disclosure. This can result in data breaches involving user information, content, and potentially credentials or configuration data. The integrity of the CMS data can be compromised, leading to defacement, unauthorized content changes, or further pivoting into the network. Availability could also be affected if attackers execute destructive SQL commands. Given Craft CMS's use in various industries for website management, the impact spans from reputational damage to regulatory penalties for data exposure. The ease of exploitation and high impact on confidentiality and integrity make this a critical concern for organizations relying on affected versions.

Organizations should immediately upgrade Craft CMS installations to version 5.9.9 or later, where the vulnerability is patched. Until upgrading, restrict control panel access to trusted users only and enforce strong authentication mechanisms to reduce the risk of compromised accounts. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting criteria[where], criteria[orderBy], and similar parameters. Conduct thorough audits of user privileges to ensure that only necessary users have control panel access. Monitor logs for unusual query patterns or database access anomalies. Additionally, consider database-level protections such as limiting the database user permissions used by the CMS to minimize potential damage from SQL injection. Regularly review and test the CMS for security updates and vulnerabilities to maintain a secure environment.