Description
An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.

This issue affects pimcore: 12.3.3.
Published: 2026-04-27
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection enabling unauthorized backend SQL execution
Action: Immediate Patch
AI Analysis

Impact

An authenticated administrator who can import or save DataObject class definitions may embed malicious composite index metadata, which the Pimcore backend accepts and executes as SQL. This flaw can allow the attacker to manipulate database queries and access, modify, or delete data without proper authorization. The vulnerability is a classic SQL injection, identified as CWE-89, and can potentially compromise data confidentiality and integrity.

Affected Systems

Pimcore Platform version 12.3.3 is affected. The issue applies across all operating systems supported by this release, including Linux, macOS, and Windows environments that run this version.

Risk and Exploitability

The CVSS score of 7.0 indicates a high severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack requires an authenticated administrator with the ability to modify DataObject classes, so the threat vector is internal. Once compromised, the attacker can execute arbitrary SQL statements against the backend database, posing a significant risk to the integrity and confidentiality of the stored data.

Generated by OpenCVE AI on April 28, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pimcore to a version that includes the fix for the SQL injection in DataObject composite index handling
  • Limit the use of administrative credentials and enforce least privilege so that only trusted users can import or modify DataObject class definitions
  • Monitor application logs for abnormal DataObject class definition imports or SQL error messages that may indicate injection attempts

Generated by OpenCVE AI on April 28, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c8g3-x47w-8q7p Pimcore admin users can trigger SQL Injection
History

Tue, 05 May 2026 18:00:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.
Title Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling
First Time appeared Pimcore
Pimcore pimcore
Weaknesses CWE-89
CPEs cpe:2.3:a:pimcore:pimcore:12.3.3:*:linux:*:*:*:*:*
cpe:2.3:a:pimcore:pimcore:12.3.3:*:macos:*:*:*:*:*
cpe:2.3:a:pimcore:pimcore:12.3.3:*:windows:*:*:*:*:*
Vendors & Products Pimcore
Pimcore pimcore
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Pimcore Pimcore
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-05-05T17:17:45.826Z

Reserved: 2026-04-01T23:34:42.722Z

Link: CVE-2026-5394

cve-icon Vulnrichment

Updated: 2026-04-28T13:21:13.334Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T20:16:28.450

Modified: 2026-05-05T18:16:03.470

Link: CVE-2026-5394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:00:15Z

Weaknesses