CVE-2026-44739
Received Received - Intake

SQL Injection in Pimcore Data Management Platform

Vulnerability report for CVE-2026-44739, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction, SqlAdapter::getColumns, SqlAdapter::buildQueryString, and Db::fetchAssociative(), allowing an attacker with the reports_config permission to use arbitrary SELECT queries, UNION statements, dangerous database functions, and error-based SQL injection to exfiltrate or manipulate database data. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
pimcore pimcore to 11.5.17 (inc)
pimcore pimcore to 12.3.6 (inc)
pimcore pimcore to 11.5.17|end_excluding=12.3.6 (exc)
pimcore pimcore 11.5.17
pimcore pimcore 12.3.6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44739 is a SQL injection vulnerability in Pimcore's Custom Reports Bundle. It affects the columnConfigAction endpoint where malicious SQL configurations can be passed through multiple functions. An attacker with the reports_config permission can exploit this to execute arbitrary SELECT queries, UNION statements, dangerous database functions, and error-based SQL injection. The vulnerability arises because the application fails to properly block all malicious SQL commands and exposes detailed error messages.

Detection Guidance

To detect this vulnerability, check if your Pimcore instance is running a vulnerable version (up to 11.5.16 or 12.3.5). Use commands like: grep -r 'columnConfigAction' /path/to/pimcore/bundles/CustomReportsBundle/ to locate the endpoint. Verify if the Sql.php file contains the security enhancements mentioned in the patch.

Impact Analysis

This vulnerability allows an attacker to manipulate, crawl, or modify database information. They can bypass application filters to perform unauthorized operations like updating, inserting, or deleting data. The exposure of detailed database error messages enables data exfiltration through error-based SQL injection techniques. This compromises the confidentiality, integrity, and availability of the application's data.

Compliance Impact

This vulnerability can lead to unauthorized data access, modification, or deletion, violating GDPR's data integrity and confidentiality requirements and HIPAA's safeguards for protected health information. The exposure of detailed error messages may also breach GDPR's principle of data minimization and HIPAA's security rule regarding information access management.

Mitigation Strategies

Immediately upgrade Pimcore to version 11.5.17 (LTS) or 12.3.6 or later. Remove the reports_config permission from untrusted users. Review database logs for suspicious SQL queries. Apply the security patches from the provided GitHub commits to the Sql.php file if upgrading is not immediately possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44739. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart