Main Vulnerability Database SB2026061537

SB2026061537 - SQL injection in Pimcore

Published: June 15, 2026

Security Bulletin ID SB2026061537

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) SQL injection (CVE-ID: N/A)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in Block.php when loading a data object of a class with a crafted UID. A remote user can create a class definition with a malicious UID and trigger object loading to disclose sensitive information.

Exploitation requires the objects permission and access to the vulnerable class definition creation endpoint.

Remediation

Install update from vendor's website.

SB2026061537 - SQL injection in Pimcore

Breakdown by Severity

Description

Remediation

References

Please verify you're human