CVE-2026-44739
Pimcore · Pimcore
Pimcore contains an SQL injection vulnerability allowing authenticated attackers to execute arbitrary SQL commands.
Executive summary
A high-severity SQL injection vulnerability in Pimcore allows authenticated attackers to manipulate database queries, posing a significant risk to data integrity and confidentiality.
Vulnerability
The application is susceptible to SQL injection via improper neutralization of special elements used in SQL commands. This flaw requires an authenticated user to trigger the malicious payload.
Business impact
Successful exploitation allows an attacker to interact with the backend database, potentially leading to unauthorized data exfiltration or modification. Given the CVSS score of 8.7, this vulnerability represents a substantial threat to the security of business-critical information stored within the platform.
Remediation
Immediate Action: Update the Pimcore installation to version 11.5.17, 12.3.6, or 2026.1.2 immediately to incorporate the security fix.
Proactive Monitoring: Review database query logs for unusual syntax or patterns that deviate from standard application behavior.
Compensating Controls: Deploy a Web Application Firewall (WAF) with updated SQL injection protection rules to filter malicious input strings targeting the application.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations utilizing affected versions of Pimcore must prioritize patching to the latest stable release. Failure to remediate this vulnerability could result in full database compromise, and administrators should verify that all instances are updated to the specified secure versions without delay.