CVE-2026-27461

Name of the Vulnerable Software and Affected Versions Pimcore versions up to and including 11.5.14.1 and 12.3.2

Description Pimcore is an Open Source Data & Experience Management Platform. A critical SQL Injection issue exists in the dependency listing endpoints. The filter query parameter is JSON-decoded, and the value field is directly concatenated into RLIKE clauses without proper sanitization or the use of parameterized queries. Exploitation requires administrator authentication. An attacker with admin panel access can potentially extract the entire database, including password hashes of other administrator users. The issue is present in the following code locations within models/Dependency/Dao.php: getFilterRequiresByPath() lines 90, 95, 100 and getFilterRequiredByPath() lines 148, 153, 158. The API endpoints affected are: ''/admin/element/get-requires-dependencies'' and ''/admin/element/get-required-by-dependencies''. The vulnerable parameter is filter and specifically the value field within it. The direct string concatenation occurs as: "AND LOWER(CONCAT(o.path, o.key)) RLIKE ''".$value."''". A proof-of-concept (PoC) demonstrates time-based blind SQL injection and error-based extraction of data, including the MySQL version string.

Recommendations Versions prior to 12.3.3 are affected. Update to version 12.3.3 or later to resolve this vulnerability.