SQL injection in Pimcore Studio Backend bundle - CVE-2026-55208
Published: June 29, 2026
Pimcore Studio Backend bundle
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information from the database.
The vulnerability exists due to SQL injection in the DateFilter column key parameter in listing filters and the Note FilterService when handling crafted columnFilters input in affected listing endpoints. A remote user can send a specially crafted request with a malicious column key to disclose sensitive information from the database.
The issue is exploitable through time-based blind SQL injection and can be used to extract data such as admin password hashes, password recovery tokens, session data, and other database content one character at a time.