Skip to main content

Coreshop CVE-2026-22242

MEDIUM
SQL Injection: Hibernate (CWE-564)
2026-01-08 security-advisories@github.com GHSA-ch7p-mpv4-4vg4
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 12, 2026 - 16:42 vuln.today
Public exploit code
Patch released
Jan 12, 2026 - 16:42 nvd
Patch available
CVE Published
Jan 08, 2026 - 10:15 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.

AnalysisAI

Blind SQL injection in CoreShop prior to version 4.1.8 allows authenticated administrators to extract sensitive database information through boolean-based or time-based attack techniques. The vulnerability is limited to information disclosure due to the application's read-only database permissions, preventing data modification or denial of service. Public exploit code exists for this vulnerability; administrators should upgrade to version 4.1.8 or later.

Technical ContextAI

Classified as CWE-564 (SQL Injection: Hibernate). Affects Coreshop. CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 4.1.8.. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Share

CVE-2026-22242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy