Pimcore Admin Classic Bundle SQL Injection Vulnerability in Translation Grid Date Filter

The pimcore/admin-ui-classic-bundle version 2.3.5 and earlier contains an SQL injection vulnerability within the translation grid’s date filter functionality. This flaw arises because the property parameter, supplied by a user through a JSON filter, is incorporated directly into a SQL expression without sufficient sanitization or validation. Specifically, the str_replace('--', '') sanitization applied is easily bypassed, allowing malicious SQL code to be injected. Successful exploitation allows an authenticated user with the necessary permissions to extract sensitive information from the database. Furthermore, when combined with another vulnerability (GM-249, an unsafe unserialize), it can lead to remote code execution.

Attack Chain

1. An attacker authenticates to the Pimcore application with translation view permissions.
2. The attacker crafts a malicious POST request to /admin/translation/translations with a JSON payload containing a date type filter.
3. The property field in the filter is manipulated to contain SQL injection payloads, such as 1))) UNION SELECT password FROM users WHERE ((1.
4. The application’s src/Controller/Admin/TranslationController.php processes the request, extracting the malicious property value at line 565.
5. The inadequate sanitization str_replace('--', '', $fieldname) at line 569 is bypassed using techniques like comment injection (/**/) or redundant dashes (----).
6. At line 593, the unsanitized $fieldname is interpolated into a SQL expression: UNIX_TIMESTAMP(DATE(FROM_UNIXTIME({$fieldname}))).
7. The application executes the crafted SQL query against the database.
8. The attacker receives the results of the SQL injection, potentially including sensitive data. Chaining with GM-249 allows for RCE.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-44741) can lead to unauthorized data extraction from the Pimcore database by an attacker with translation view permissions. The combination of this SQL injection with the GM-249 unsafe unserialize vulnerability can lead to full remote code execution. The vulnerability affects pimcore/admin-ui-classic-bundle version 2.3.5 and earlier.

Recommendation

• Apply the vendor-supplied patch or upgrade to a version of pimcore/admin-ui-classic-bundle greater than 2.3.5 to remediate CVE-2026-44741.
• Implement input validation on the property field in the translation grid date filter to only allow expected column names, as suggested in the provided fix (see “Suggested Fix” section in content).
• Deploy the Sigma rule “Detect CVE-2026-44741 Exploitation Attempt — Pimcore Translation Grid SQL Injection” to detect potential exploitation attempts (see “rules” section).
• Monitor web server logs for POST requests to /admin/translation/translations with suspicious characters or SQL syntax in the filter parameter.