CVE-2026-27461

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27461

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27461.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27461

Aliases

GHSA-vxg3-v4p6-f3fp

Published

2026-02-24T02:50:48.287Z

Modified

2026-03-03T02:56:31.179186Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause

Details

Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27461.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

Git / github.com/pimcore/pimcore

Affected ranges

Type

GIT

Repo

https://github.com/pimcore/pimcore

Events

Introduced

Last affected

2ee6fb538712ebca80b783f8c10c9641d6425172

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "11.5.14.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/pimcore/pimcore

Events

Introduced

df14e025d3db615fc75b190e3c9f3cc1d68d7304

Fixed

1c3925fbec4895abeb21e5c244a83679c4e4a6f4

Database specific

{
    "versions": [
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.3.3"
        }
    ]
}

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.3.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.1.0

3.1.1

4.*

4.0.0

4.0.1

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0

4.3.0

4.3.1

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

v10.*

v10.0.0

v10.0.0-BETA1

v10.0.0-BETA2

v10.0.0-BETA3

v10.0.0-BETA4

v10.0.1

v10.0.2

v10.0.3

v10.0.4

v10.0.5

v10.0.6

v10.0.7

v10.0.8

v10.0.9

v10.1.0

v10.1.1

v10.1.2

v10.1.3

v10.1.4

v10.1.5

v10.2.0

v10.2.1

v10.2.10

v10.2.2

v10.2.3

v10.2.4

v10.2.5

v10.2.6

v10.2.7

v10.2.8

v10.2.9

v10.3.0

v10.3.1

v10.3.2

v10.3.3

v10.3.4

v10.3.5

v10.3.6

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.5.0

v10.5.1

v10.5.10

v10.5.11

v10.5.12

v10.5.13

v10.5.14

v10.5.15

v10.5.16

v10.5.17

v10.5.18

v10.5.19

v10.5.2

v10.5.20

v10.5.21

v10.5.22

v10.5.23

v10.5.24

v10.5.25

v10.5.3

v10.5.4

v10.5.5

v10.5.6

v10.5.7

v10.5.8

v10.5.9

v10.6.0

v10.6.1

v10.6.2

v10.6.3

v10.6.4

v10.6.5

v10.6.6

v10.6.7

v10.6.8

v10.6.9

v11.*

v11.0.0

v11.0.0-ALPHA1

v11.0.0-ALPHA2

v11.0.0-ALPHA3

v11.0.0-ALPHA4

v11.0.0-ALPHA5

v11.0.0-ALPHA6

v11.0.0-ALPHA7

v11.0.0-ALPHA8

v11.0.0-BETA1

v11.0.0-RC1

v11.0.0-RC2

v11.0.1

v11.0.10

v11.0.11

v11.0.12

v11.0.2

v11.0.3

v11.0.4

v11.0.5

v11.0.6

v11.0.7

v11.0.8

v11.0.9

v11.1.0

v11.1.0-RC1

v11.1.1

v11.1.2

v11.1.3

v11.1.4

v11.1.5

v11.1.6

v11.2.0

v11.2.1

v11.2.2

v11.2.3

v11.2.4

v11.2.5

v11.2.6

v11.2.7

v11.3.0

v11.3.0-RC1

v11.3.0-RC2

v11.3.1

v11.3.2

v11.3.3

v11.4.0

v11.4.0-RC1

v11.4.1

v11.4.2

v11.4.3

v11.4.4

v11.5.0

v11.5.0-RC1

v11.5.0-RC2

v11.5.1

v11.5.10

v11.5.11

v11.5.12

v11.5.13

v11.5.14

v11.5.14.1

v11.5.2

v11.5.3

v11.5.4

v11.5.5

v11.5.6

v11.5.7

v11.5.8

v11.5.9

v12.*

v12.0.0

v12.0.1

v12.0.2

v12.0.3

v12.0.4

v12.1.0

v12.1.1

v12.1.2

v12.1.3

v12.1.4

v12.1.5

v12.2.0

v12.2.1

v12.2.2

v12.2.3

v12.2.4

v12.3.0

v12.3.1

v12.3.1.1

v12.3.2

v5.*

v5.0.0

v5.0.0-RC

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.1.0

v5.1.0-alpha

v5.1.1

v5.1.2

v5.1.3

v5.2.0

v5.2.3

v5.3.0

v5.3.1

v5.4.0

v5.4.1

v5.4.2

v5.4.3

v5.4.4

v5.5.0

v5.5.1

v5.5.2

v5.5.3

v5.5.4

v5.6.0

v5.6.1

v5.6.2

v5.6.3

v5.6.4

v5.6.5

v5.6.6

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.8.0

v5.8.1

v5.8.2

v5.8.3

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.1.0

v6.1.1

v6.1.2

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.4.0

v6.4.1

v6.4.2

v6.5.0

v6.5.1

v6.5.2

v6.5.3

v6.6.0

v6.6.1

v6.6.10

v6.6.11

v6.6.2

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7.0

v6.7.1

v6.7.2

v6.7.3

v6.8.0

v6.8.1

v6.8.10

v6.8.11

v6.8.12

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.8.6

v6.8.7

v6.8.8

v6.8.9

v6.9.0

v6.9.1

v6.9.2

v6.9.3

v6.9.4

v6.9.5

v6.9.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27461.json"