DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23492: Pimcore SQLi: When a 'Fix' is Just a Band-Aid

#security #cve #cybersecurity

Pimcore SQLi: When a 'Fix' is Just a Band-Aid

Vulnerability ID: CVE-2026-23492
CVSS Score: 8.8
Published: 2026-01-14

A critical Blind SQL Injection vulnerability in Pimcore's Admin Search API caused by a failed attempt to patch a previous vulnerability (CVE-2023-30848). Developers relied on a blacklist approach—stripping SQL comments—and error suppression, leaving the core injection flaw wide open to authenticated attackers.

TL;DR

Pimcore tried to fix an SQL injection in 2023 by deleting double dashes (--) and hiding error messages. It didn't work. CVE-2026-23492 is the result: a high-severity Blind SQL Injection in the Admin Search Find API that allows attackers to exfiltrate the entire database using time-based payloads. If you run Pimcore < 11.5.14 or < 12.3.1, patch immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-89 (SQL Injection)
  • CVSS v3.1: 8.8 (High)
  • Attack Vector: Network (Authenticated)
  • Vulnerability Type: Blind SQL Injection (Boolean/Time-based)
  • Previous Fail: Incomplete fix for CVE-2023-30848
  • Status: Patched

Affected Systems

  • Pimcore < 11.5.14
  • Pimcore >= 12.0.0-RC1, < 12.3.1
  • Pimcore: < 11.5.14 (Fixed in: 11.5.14)
  • Pimcore: >= 12.0.0-RC1, < 12.3.1 (Fixed in: 12.3.1)

Code Analysis

Commit: 25ad867

Original incomplete fix for CVE-2023-30848 that led to this vulnerability

- $fields = $allParams['fields'];
+ $fields = str_replace('--', '', $allParams['fields']);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update Pimcore to version 11.5.14 or 12.3.1 immediately.
  • Implement WAF rules blocking 'SLEEP', 'BENCHMARK', and 'CASE WHEN' on the search endpoint.
  • Audit logs for requests to '/admin/search/search/find' with suspicious high latency.

Remediation Steps:

  1. Backup your Pimcore database and assets.
  2. Run 'composer update pimcore/pimcore' to pull the latest security release.
  3. Verify the version in the admin dashboard.
  4. Clear the Pimcore cache using 'bin/console cache:clear'.

References

Read the full report for CVE-2026-23492 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)