Description
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14.
Published: 2026-01-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Database information disclosure through blind SQL injection
Action: Immediate Patch
AI Analysis

Impact

Pimcore’s Admin Search Find API contains an incomplete SQL injection fix that allows an attacker with administrative credentials to inject SQL payloads without relying on comments. The vulnerability enables blind extraction of database information, compromising the integrity and confidentiality of all stored data. The flaw is a classic input validation weakness classified as CWE-89.

Affected Systems

The affected product is Pimcore, a data and experience management platform. Versions earlier than 12.3.1 and 11.5.14 are impacted, while the vulnerability is resolved in those released updates. The flaw is present in the admin interface’s search functionality and does not affect unauthenticated users.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity flaw, with a low but non-zero EPSS score of less than 1 percent. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog, reflecting that no public exploits have been reported yet. The attack requires authenticated access to the admin UI, making the likelihood dependent on the security of admin accounts but otherwise straightforward once credentials are compromised.

Generated by OpenCVE AI on April 18, 2026 at 06:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pimcore to version 12.3.1 or 11.5.14 as soon as possible to apply the vendor patch.
  • Limit the deployment of administrator accounts to trusted individuals and require strong, unique passwords.
  • Restrict network access to the admin interface to trusted IP addresses and monitor database logs for abnormal query patterns.

Generated by OpenCVE AI on April 18, 2026 at 06:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qvr7-7g55-69xj Pimcore Has an Incomplete Patch for CVE-2023-30848
History

Tue, 20 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Pimcore
Pimcore pimcore
Vendors & Products Pimcore
Pimcore pimcore

Wed, 14 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
Description Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14.
Title Pimcore has a Blind SQL Injection in Admin Search Find API due to an incomplete fix for CVE-2023-30848
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pimcore Pimcore
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T21:14:46.329Z

Reserved: 2026-01-13T15:47:41.629Z

Link: CVE-2026-23492

cve-icon Vulnrichment

Updated: 2026-01-14T21:14:42.728Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T19:16:48.130

Modified: 2026-01-20T21:45:58.507

Link: CVE-2026-23492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses