Skip to main content

Pimcore Studio CVE-2026-55208

| EUVDEUVD-2026-42696 HIGH
SQL Injection (CWE-89)
2026-07-09 security-advisories@github.com
7.7
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable, low-complexity blind SQLi requires an authenticated low-priv account (PR:L) and reads arbitrary DB data (C:H); no write/DoS shown (I/A:N); impact stays within the database, so S:U rather than vendor's S:C.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 22:01 EUVD
Analysis Generated
Jul 09, 2026 - 21:40 vuln.today

DescriptionCVE.org

Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints accept a columnFilters array where the key field is interpolated directly into SQL with manual backtick wrapping, allowing a backtick character to break out of quoting and append arbitrary SQL such as SLEEP() and IF() subqueries. This issue is fixed in versions 2025.4.6 and 2026.1.6.

AnalysisAI

Time-based blind SQL injection in Pimcore Studio Backend Bundle (before 2025.4.6 and 2026.1.6) lets an authenticated low-privilege user read arbitrary database contents, including the administrator password hash, via the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints interpolate the columnFilters key field directly into SQL with manual backtick wrapping, so a backtick breaks out of quoting to append SLEEP()/IF() subqueries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Pimcore Studio
Delivery
Send POST to listing endpoint with columnFilters
Exploit
Inject backtick + SLEEP/IF into DateFilter key
Execution
Break out of identifier quoting
Persist
Time responses to read DB bit-by-bit
Impact
Extract admin password hash

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated Pimcore Studio account (CVSS PR:L) with the ability to reach a listing endpoint that accepts a columnFilters array - concretely POST /pimcore-studio/api/website-settings or other listing endpoints using the DateFilter column key parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, base 7.7) indicates a network-reachable, low-complexity attack that requires authentication (PR:L) and no user interaction, with high confidentiality impact but no integrity or availability impact and a claimed scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged but authenticated Studio user sends a crafted POST to /pimcore-studio/api/website-settings with a columnFilters entry whose DateFilter key contains a backtick followed by an IF()/SLEEP() subquery, then measures response timing to read the admin password hash character by character. No public exploit code was identified, but the technique is standard time-based blind SQLi and requires only a valid account and HTTP access.
Remediation Vendor-released patch: upgrade studio-backend-bundle to 2025.4.6 (for 2025.4.x deployments) or 2026.1.6 (for 2026.1.x deployments); the fix is delivered in commit f532428cfbf4f5d6e299a13cedd5c29541802552 via pull request https://github.com/pimcore/studio-backend-bundle/pull/1883 and documented in advisory https://github.com/pimcore/pimcore/security/advisories/GHSA-79cw-hfcc-7mw9. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all systems running Pimcore Studio Backend Bundle; audit access logs for suspicious queries or anomalous POST traffic to /pimcore-studio/api/website-settings and related listing endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy