CVE-2026-31858

Description

The `ElementSearchController::actionSearch()` endpoint is missing the `unset()` protection that was added to ElementIndexesController in [GHSA-2453-mppf-46cj](https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj). The exact same SQL injection vulnerability (including `criteria[orderBy]`, the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via `criteria[where]`, `criteria[orderBy]`, or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.

How to fix CVE-2026-31858

To remediate CVE-2026-31858, upgrade the affected package to a fixed version below.

• —upgrade to 5.9.9 or later

Is CVE-2026-31858 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 5.0.0-RC1, < 5.9.9

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-31858
• PATCHgithub.com/craftcms/cms
• WEBgithub.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42
• WEBgithub.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj