CVE-2026-27461 | THREATINT

Description

Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch.

PUBLISHED Reserved 2026-02-19 | Published 2026-02-24 | Updated 2026-02-24 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

<= 11.5.14.1

affected

>= 12.0.0, < 12.3.3

affected

References

github.com/...imcore/security/advisories/GHSA-vxg3-v4p6-f3fp

github.com/pimcore/pimcore/pull/18991

github.com/...ommit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4

github.com/pimcore/pimcore/releases/tag/v12.3.3

cve.org (CVE-2026-27461)

nvd.nist.gov (CVE-2026-27461)

Download JSON