Merge commit from fork

Fix a SQL injection vulnerability

Author: brandonkelly

CHANGELOG.md

@@ -6,6 +6,7 @@
 - Fixed a bug where all plugin settings were being saved to the project config, rather than just posted settings. ([craftcms/commerce#4006](https://github.com/craftcms/commerce/issues/4006))
 - Fixed a bug where custom selects could be positioned incorrectly after the window was resized. ([#18179](https://github.com/craftcms/cms/issues/18179))
 - Fixed an SSRF vulnerability. (GHSA-96pq-hxpw-rgh8)
+- Fixed a SQL injection vulnerability. (GHSA-2453-mppf-46cj)
 
 ## 4.16.17 - 2025-12-0421
 

src/controllers/ElementIndexesController.php

@@ -603,6 +603,23 @@ protected function elementQuery(): ElementQueryInterface
                     $criteria['draftOf'] = filter_var($criteria['draftOf'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
                 }
             }
+
+            // Remove unsupported criteria attributes
+            unset(
+                $criteria['where'],
+                $criteria['orderBy'],
+                $criteria['indexBy'],
+                $criteria['select'],
+                $criteria['selectOption'],
+                $criteria['from'],
+                $criteria['groupBy'],
+                $criteria['join'],
+                $criteria['having'],
+                $criteria['union'],
+                $criteria['withQueries'],
+                $criteria['params'],
+            );
+
             Craft::configure($query, Component::cleanseConfig($criteria));
         }