SQL injection in Pimcore Studio Backend bundle - CVE-2026-55208

 

SQL injection in Pimcore Studio Backend bundle - CVE-2026-55208

Published: June 29, 2026


Vulnerability identifier: #VU135785
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-55208
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Pimcore
Affected software:
Pimcore Studio Backend bundle

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information from the database.

The vulnerability exists due to SQL injection in the DateFilter column key parameter in listing filters and the Note FilterService when handling crafted columnFilters input in affected listing endpoints. A remote user can send a specially crafted request with a malicious column key to disclose sensitive information from the database.

The issue is exploitable through time-based blind SQL injection and can be used to extract data such as admin password hashes, password recovery tokens, session data, and other database content one character at a time.


How to mitigate CVE-2026-55208

Install security update from vendor's website.

Sources