CVE-2026-55208

Source
https://cve.org/CVERecord?id=CVE-2026-55208
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55208.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55208
Aliases
  • GHSA-79cw-hfcc-7mw9
Published
2026-07-09T20:57:53.346Z
Modified
2026-07-15T01:49:07.347853045Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Pimcore: SQL Injection via Column Name in DateFilter allows authenticated user to extract arbitrary database data including admin password hashes
Details

Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints accept a columnFilters array where the key field is interpolated directly into SQL with manual backtick wrapping, allowing a backtick character to break out of quoting and append arbitrary SQL such as SLEEP() and IF() subqueries. This issue is fixed in versions 2025.4.6 and 2026.1.6.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55208.json"
}
References

Affected packages

Git / github.com/pimcore/pimcore

Affected ranges

Type
GIT
Repo
https://github.com/pimcore/pimcore
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "2026.1.0"
        },
        {
            "fixed": "2026.1.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/pimcore/studio-backend-bundle
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2025.4.6"
        }
    ]
}

Affected versions

v0.*
v0.10.21
v0.12.18
v0.12.9
v0.13.20
v0.14.19
v0.15.17
v0.4.30
v0.5.20
v0.6.30
v0.9.30
v2025.*
v2025.4.0
v2025.4.1
v2025.4.2
v2025.4.3
v2025.4.4
v2025.4.5
v2026.*
v2026.1.0
v2026.1.1
v2026.1.2
v2026.1.3
v2026.1.4
v2026.1.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55208.json"