SQL Injection Affecting pimcore/pimcore package, versions <12.3.6
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-PIMCOREPIMCORE-17112574
- published31 May 2026
- disclosed27 May 2026
- creditmsayedZiko
Introduced: 27 May 2026
NewCVE-2026-44739 (opens in a new tab)How to fix?
Upgrade pimcore/pimcore to version 12.3.6 or higher.
Overview
pimcore/pimcore is a content & product management framework (CMS/PIM/E-Commerce).
Affected versions of this package are vulnerable to SQL Injection in the columnConfigAction process. An attacker can access and manipulate sensitive database information, as well as modify or delete data, by submitting crafted configuration payloads that are concatenated into SQL queries without proper parameterization. This allows unauthorized access to database contents and the ability to bypass weak input filtering using permitted SQL statements or comment-based evasion techniques. Error messages returned in JSON responses further facilitate data exfiltration through error-based techniques. This is only exploitable if the attacker has the reports_config permission.