Executive Summary

CVE-2026-22242 is a blind SQL injection vulnerability in CoreShop versions up to 4.1.7, specifically in the admin reports feature. It allows an authenticated administrator-level user to extract confidential database information by exploiting unsanitized user input that is directly concatenated into SQL queries without proper parameterization. The vulnerability arises mainly from the 'store' parameter being used without validation or prepared statements, enabling attackers to perform boolean-based or time-based SQL injection attacks to infer and extract data from the database. The database user has read-only privileges, so no data modification or service disruption is possible. The issue was fixed by replacing unsafe SQL query constructions with parameterized queries using named placeholders. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated administrator-level user to extract confidential database information due to a blind SQL injection flaw. This unauthorized disclosure of confidential data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate the protection of sensitive personal and health information. Although the database user is read-only and no data modification or service disruption is possible, the confidentiality breach poses a risk to compliance by potentially exposing protected data. The issue has been patched in version 4.1.8 to mitigate this risk. [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of confidential data stored in the CoreShop database. An authenticated administrator-level user can exploit the blind SQL injection to extract sensitive information by manipulating SQL queries. However, because the database account used by the application is read-only and non-DBA, the impact is limited to data confidentiality only. There is no risk of data modification or service disruption from this vulnerability. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the /admin/coreshop/report/get-data endpoint for blind SQL injection via the 'store' parameter. Boolean-based detection can be done by modifying the 'store' parameter to values like '1 AND 1=1' (which returns data) and '1 AND 2=1' (which returns empty results). Time-based detection involves injecting payloads with SQL functions like SLEEP() to observe response delays. Automated tools such as sqlmap can be used to confirm the vulnerability and extract database information. Example commands with sqlmap would target the 'store' parameter for injection testing. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include enforcing strict type casting of the 'store' parameter to an integer before using it in SQL queries, for example: casting with (int) and returning empty results if the value is invalid (≤ 0). The best practice is to update the code to use prepared statements with parameter binding for the 'store' parameter and all other user inputs, replacing direct concatenation with parameterized queries. Upgrading CoreShop to version 4.1.8 or later, where this issue is patched, is also recommended. [2, 1]

Useful 0 Not Useful 0