CVE-2026-23959

Name of the Vulnerable Software and Affected Versions CoreShop versions prior to 4.1.9

Description An error-based SQL Injection issue exists in the CustomerTransformerController within the CoreShop admin panel. The affected endpoint improperly incorporates user-supplied input into a SQL query, potentially leading to database error disclosure and data extraction. The vulnerability is located in the company name duplication check endpoint: /admin/coreshop/customer-company-modifier/duplication-name-check?value=. The $value parameter is user-controlled and not properly escaped or bound as a prepared statement parameter. Providing a double quote (") causes a SQL syntax error, confirming the injection point. The vulnerable file is /app/repos/coreshop/src/CoreShop/Bundle/CustomerBundle/Controller/CustomerTransformerController.php, and the vulnerable code pattern is sprintf('name LIKE "%%%s%%"', (string) $value). Exploitation involves triggering a SQL error to confirm the injection and potentially extracting data.

Recommendations Versions prior to 4.1.9: Use parameterized queries instead of string concatenation or sprintf to build SQL conditions. Apply strict input validation before processing user data. Handle database errors gracefully by returning controlled JSON error responses instead of raw 500 error pages.