CVE-2026-31858

描述

The `ElementSearchController::actionSearch()` endpoint is missing the `unset()` protection that was added to ElementIndexesController in [GHSA-2453-mppf-46cj](https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj). The exact same SQL injection vulnerability (including `criteria[orderBy]`, the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via `criteria[where]`, `criteria[orderBy]`, or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.

如何修補 CVE-2026-31858

要修補 CVE-2026-31858,請將受影響套件升級到下列已修補版本。

• —升級至 5.9.9 或更新版本

CVE-2026-31858 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 5.0.0-RC1, < 5.9.9

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-31858
• PATCHgithub.com/craftcms/cms
• WEBgithub.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42
• WEBgithub.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj