Main Vulnerability Database Vulnerabilities #VU134523

SQL injection in Pimcore - #VU134523

Published: June 15, 2026

Vulnerability identifier: #VU134523

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Pimcore

Affected software:
Pimcore

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in Block.php when loading a data object of a class with a crafted UID. A remote user can create a class definition with a malicious UID and trigger object loading to disclose sensitive information.

Exploitation requires the objects permission and access to the vulnerable class definition creation endpoint.

Remediation

Install security update from vendor's website.

Sources

https://github.com/pimcore/pimcore/security/advisories/GHSA-2mhj-fhvg-v428
https://github.com/pimcore/pimcore/commit/dbe1d131e4

SQL injection in Pimcore - #VU134523

Detailed vulnerability description

Remediation

Sources

Please verify you're human