Coreshop
CVE-2026-23959
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the CustomerTransformerController within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue.
AnalysisAI
Improper input sanitization in CoreShop's CustomerTransformerController prior to version 4.1.9 allows authenticated administrators to inject SQL commands through the admin panel, enabling database error-based information disclosure. An attacker with high-privilege access can exploit this to extract sensitive data from the underlying database without modifying or deleting records. A patch is available in version 4.1.9 and later.
Technical ContextAI
Classified as CWE-564 (SQL Injection: Hibernate). Affects the panel. The affected component of Coreshop. CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the CustomerTransformerController within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue.
RemediationAI
A vendor patch is available — apply it immediately. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.
Same weakness CWE-564 – SQL Injection: Hibernate
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fqcv-8859-86x2