CVE-2026-44739

Pimcore · Pimcore

Pimcore contains an SQL injection vulnerability allowing authenticated attackers to execute arbitrary SQL commands.

Executive summary

A high-severity SQL injection vulnerability in Pimcore allows authenticated attackers to manipulate database queries, posing a significant risk to data integrity and confidentiality.

Vulnerability

The application is susceptible to SQL injection via improper neutralization of special elements used in SQL commands. This flaw requires an authenticated user to trigger the malicious payload.

Business impact

Successful exploitation allows an attacker to interact with the backend database, potentially leading to unauthorized data exfiltration or modification. Given the CVSS score of 8.7, this vulnerability represents a substantial threat to the security of business-critical information stored within the platform.

Remediation

Immediate Action: Update the Pimcore installation to version 11.5.17, 12.3.6, or 2026.1.2 immediately to incorporate the security fix.

Proactive Monitoring: Review database query logs for unusual syntax or patterns that deviate from standard application behavior.

Compensating Controls: Deploy a Web Application Firewall (WAF) with updated SQL injection protection rules to filter malicious input strings targeting the application.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Organizations utilizing affected versions of Pimcore must prioritize patching to the latest stable release. Failure to remediate this vulnerability could result in full database compromise, and administrators should verify that all instances are updated to the specified secure versions without delay.