CVE-2026-33162: Craftcms Query Criteria Sqli

Directly configuring objects using request data (via Component::cleanseConfig) without filtering out restricted SQL criteria properties (e.g., 'where', 'union') exposes the application to SQL Injection. Ensure that unsafe array keys are unset before applying the criteria.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0php

greprules fetch cve-2026-33162-craftcms-query-criteria-sqli --engine opengrep

Description

Directly configuring objects using request data (via Component::cleanseConfig) without filtering out restricted SQL criteria properties (e.g., 'where', 'union') exposes the application to SQL Injection. Ensure that unsafe array keys are unset before applying the criteria.

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Trust signals: 108 downloads
0 direct108 via packs
· 0 stars · Trust score 61How trust works
Included packs: 2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark useful Report false positive Suggest metadata