CVE-2026-23959
SQL Injection in CoreShop CustomerTransformerController Exposes Data
Publication date: 2026-01-22
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coreshop | coreshop | to 4.1.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-564 | Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an error-based SQL Injection in CoreShop versions prior to 4.1.9, specifically in the CustomerTransformerController within the admin panel. It occurs because user-supplied input is unsafely interpolated directly into a SQL query without proper parameterization or escaping. This allows an authenticated admin user to inject malicious SQL code via the 'value' parameter in the duplication name check endpoint, causing database errors and potentially extracting sensitive data. [3]
How can this vulnerability impact me? :
The vulnerability can lead to database error disclosure, allowing attackers to see database error messages that reveal schema details. It also enables potential database schema enumeration and data extraction through error-based or blind SQL injection attacks. Exploitation requires authenticated admin access but no additional user interaction. This can compromise the confidentiality of sensitive data stored in the database. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted requests to the vulnerable endpoint `/admin/coreshop/customer-company-modifier/duplication-name-check?value=` with specially crafted input that triggers SQL errors. For example, injecting a double quote (") in the `value` parameter causes a SQL syntax error and an HTTP 500 Internal Server Error with database error disclosure. Automated tools like sqlmap can be used to confirm the presence of the SQL injection vulnerability by targeting this endpoint with authenticated admin access. A sample detection approach includes authenticating to the admin panel (default credentials: admin/coreshop), obtaining a CSRF token, and then sending requests to the endpoint with payloads designed to cause SQL errors or extract data. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade CoreShop to version 4.1.9 or later, which contains the fix replacing unsafe string interpolation with parameterized queries. 2) If upgrading is not immediately possible, apply input validation to restrict and sanitize the `value` parameter to acceptable characters and lengths. 3) Implement graceful error handling to avoid raw database error disclosures by catching exceptions and returning controlled JSON error responses. 4) Avoid direct interpolation of user input into SQL queries; use prepared statements or ORM parameter binding as demonstrated in the fix. These steps reduce the risk of exploitation until the official patch can be applied. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows potential unauthorized disclosure and extraction of database information through SQL injection, which could lead to exposure of sensitive customer data. Such data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access and disclosure. Therefore, this vulnerability poses a risk to compliance with these standards by potentially compromising data confidentiality. [3]