Skip to main content

Coreshop CVE-2026-23959

MEDIUM
SQL Injection: Hibernate (CWE-564)
2026-01-22 security-advisories@github.com GHSA-fqcv-8859-86x2
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 17, 2026 - 16:13 nvd
Patch available
CVE Published
Jan 22, 2026 - 03:15 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the CustomerTransformerController within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue.

AnalysisAI

Improper input sanitization in CoreShop's CustomerTransformerController prior to version 4.1.9 allows authenticated administrators to inject SQL commands through the admin panel, enabling database error-based information disclosure. An attacker with high-privilege access can exploit this to extract sensitive data from the underlying database without modifying or deleting records. A patch is available in version 4.1.9 and later.

Technical ContextAI

Classified as CWE-564 (SQL Injection: Hibernate). Affects the panel. The affected component of Coreshop. CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the CustomerTransformerController within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue.

RemediationAI

A vendor patch is available — apply it immediately. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Share

CVE-2026-23959 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy