DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27461: Pimcore SQL Injection: When 'Enterprise' Logic Meets 'Select * From Disaster'

#security #cve #cybersecurity

Pimcore SQL Injection: When 'Enterprise' Logic Meets 'Select * From Disaster'

Vulnerability ID: CVE-2026-27461
CVSS Score: 6.9
Published: 2026-02-24

A critical SQL Injection vulnerability in the Pimcore platform allows authenticated administrators to execute arbitrary SQL commands via the dependency listing feature. By manipulating JSON filter parameters, attackers can bypass sanitization and inject malicious payloads directly into RLIKE clauses.

TL;DR

Pimcore versions prior to 12.3.3 contain a classic SQL Injection flaw in the Dependency Dao class. Authenticated admins can exploit the filter parameter to dump the entire database, including password hashes, despite the application using an ORM.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-89 (SQL Injection)
  • CVSS v4.0: 6.9 (Medium)
  • Attack Vector: Network (Authenticated Admin)
  • Vulnerable Parameter: JSON 'filter' -> 'value'
  • Sink: SQL RLIKE clause
  • Exploit Maturity: Proof of Concept (High Probability)

Affected Systems

  • Pimcore CMS
  • Pimcore DAM
  • Pimcore PIM
  • Pimcore: <= 11.5.14.1 (Fixed in: 12.3.3)
  • Pimcore: >= 12.0.0, < 12.3.3 (Fixed in: 12.3.3)

Code Analysis

Commit: 1c3925f

Fix SQL Injection in Dependency Dao by using prepared statements and preg_quote

- WHERE ... RLIKE '" . $value . "'
+ WHERE ... RLIKE :value
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual Analysis: Exploit derived from patch diff showing lack of sanitization in RLIKE clause.

Mitigation Strategies

  • Upgrade to Pimcore v12.3.3 immediately.
  • Implement Web Application Firewall (WAF) rules to block SQL keywords in JSON payloads.
  • Restrict access to the Pimcore admin interface to trusted IP addresses (VPN/Allowlist).

Remediation Steps:

  1. Backup the Pimcore database and assets.
  2. Run composer update pimcore/pimcore to fetch the latest stable release.
  3. Verify the version in composer.lock is >= 12.3.3.
  4. Clear the Pimcore cache (bin/console cache:clear).
  5. Test the dependency tab to ensure the fix hasn't broken legitimate regex filtering.

References

Read the full report for CVE-2026-27461 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)