Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Network-reachable, low-complexity blind SQLi requires an authenticated low-priv account (PR:L) and reads arbitrary DB data (C:H); no write/DoS shown (I/A:N); impact stays within the database, so S:U rather than vendor's S:C.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints accept a columnFilters array where the key field is interpolated directly into SQL with manual backtick wrapping, allowing a backtick character to break out of quoting and append arbitrary SQL such as SLEEP() and IF() subqueries. This issue is fixed in versions 2025.4.6 and 2026.1.6.
AnalysisAI
Time-based blind SQL injection in Pimcore Studio Backend Bundle (before 2025.4.6 and 2026.1.6) lets an authenticated low-privilege user read arbitrary database contents, including the administrator password hash, via the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints interpolate the columnFilters key field directly into SQL with manual backtick wrapping, so a backtick breaks out of quoting to append SLEEP()/IF() subqueries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid authenticated Pimcore Studio account (CVSS PR:L) with the ability to reach a listing endpoint that accepts a columnFilters array - concretely POST /pimcore-studio/api/website-settings or other listing endpoints using the DateFilter column key parameter. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, base 7.7) indicates a network-reachable, low-complexity attack that requires authentication (PR:L) and no user interaction, with high confidentiality impact but no integrity or availability impact and a claimed scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged but authenticated Studio user sends a crafted POST to /pimcore-studio/api/website-settings with a columnFilters entry whose DateFilter key contains a backtick followed by an IF()/SLEEP() subquery, then measures response timing to read the admin password hash character by character. No public exploit code was identified, but the technique is standard time-based blind SQLi and requires only a valid account and HTTP access. |
| Remediation | Vendor-released patch: upgrade studio-backend-bundle to 2025.4.6 (for 2025.4.x deployments) or 2026.1.6 (for 2026.1.x deployments); the fix is delivered in commit f532428cfbf4f5d6e299a13cedd5c29541802552 via pull request https://github.com/pimcore/studio-backend-bundle/pull/1883 and documented in advisory https://github.com/pimcore/pimcore/security/advisories/GHSA-79cw-hfcc-7mw9. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all systems running Pimcore Studio Backend Bundle; audit access logs for suspicious queries or anomalous POST traffic to /pimcore-studio/api/website-settings and related listing endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42696