CVE-2026-55208

Pimcore · Pimcore Studio Backend Bundle

The Pimcore Studio Backend Bundle is vulnerable to SQL Injection, allowing authenticated users to execute malicious database queries.

Executive summary

An SQL injection vulnerability in the Pimcore Studio Backend Bundle allows an authenticated attacker to perform unauthorized database operations and potentially extract sensitive information.

Vulnerability

This is an SQL Injection (CWE-89) vulnerability where the backend bundle fails to properly sanitize input before incorporating it into database queries. An authenticated user can leverage this to bypass security controls or access unauthorized data.

Business impact

The vulnerability carries a CVSS score of 7.7, reflecting a high risk to data confidentiality. By injecting malicious SQL commands, an attacker could potentially exfiltrate sensitive business data or manipulate the application’s backend, leading to significant regulatory and reputational consequences.

Remediation

Immediate Action: Update the Pimcore Studio Backend Bundle to version 2026.1.6 or 2025.4.6, depending on the current branch in use.

Proactive Monitoring: Review database query logs for suspicious syntax or unexpected query patterns that deviate from standard application behavior.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to inspect and block malicious requests attempting to exploit this vulnerability.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations should treat this vulnerability with high urgency. Administrators must verify their current version of the Studio Backend Bundle and apply the provided patches to ensure the integrity and confidentiality of the database.