Pimcore SQLi: When a 'Fix' is Just a Band-Aid
Jan 15, 2026·6 min read·3 visits
Executive Summary (TL;DR)
Pimcore tried to fix an SQL injection in 2023 by deleting double dashes (`--`) and hiding error messages. It didn't work. CVE-2026-23492 is the result: a high-severity Blind SQL Injection in the Admin Search Find API that allows attackers to exfiltrate the entire database using time-based payloads. If you run Pimcore < 11.5.14 or < 12.3.1, patch immediately.
A critical Blind SQL Injection vulnerability in Pimcore's Admin Search API caused by a failed attempt to patch a previous vulnerability (CVE-2023-30848). Developers relied on a blacklist approach—stripping SQL comments—and error suppression, leaving the core injection flaw wide open to authenticated attackers.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Pimcore Pimcore | < 11.5.14 | 11.5.14 |
Pimcore Pimcore | >= 12.0.0-RC1, < 12.3.1 | 12.3.1 |
| Attribute | Detail |
|---|---|
| CWE | CWE-89 (SQL Injection) |
| CVSS v3.1 | 8.8 (High) |
| Attack Vector | Network (Authenticated) |
| Vulnerability Type | Blind SQL Injection (Boolean/Time-based) |
| Previous Fail | Incomplete fix for CVE-2023-30848 |
| Status | Patched |
MITRE ATT&CK Mapping
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.