CVE-2026-27461
Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch.
| CWE | CWE-89 |
| Vendor | pimcore |
| Product | pimcore |
| Published | Feb 24, 2026 |
| Last Updated | Feb 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for pimcore pimcore
Be the first to know when new unknown vulnerabilities affecting pimcore pimcore are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
pimcore / pimcore
<= 11.5.14.1 >= 12.0.0, < 12.3.3
References
github.com: https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp github.com: https://github.com/pimcore/pimcore/pull/18991 github.com: https://github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4 github.com: https://github.com/pimcore/pimcore/releases/tag/v12.3.3