{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pimcore/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":4.9,"id":"CVE-2026-27461"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["admin-ui-classic-bundle (\u003c= 2.3.5)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","pimcore","cve-2026-44741","web-application"],"_cs_type":"advisory","_cs_vendors":["Pimcore"],"content_html":"\u003cp\u003eThe \u003ccode\u003epimcore/admin-ui-classic-bundle\u003c/code\u003e version 2.3.5 and earlier contains an SQL injection vulnerability within the translation grid\u0026rsquo;s date filter functionality. This flaw arises because the \u003ccode\u003eproperty\u003c/code\u003e parameter, supplied by a user through a JSON filter, is incorporated directly into a SQL expression without sufficient sanitization or validation. Specifically, the \u003ccode\u003estr_replace('--', '')\u003c/code\u003e sanitization applied is easily bypassed, allowing malicious SQL code to be injected. Successful exploitation allows an authenticated user with the necessary permissions to extract sensitive information from the database. Furthermore, when combined with another vulnerability (GM-249, an unsafe unserialize), it can lead to remote code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Pimcore application with translation view permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request to \u003ccode\u003e/admin/translation/translations\u003c/code\u003e with a JSON payload containing a \u003ccode\u003edate\u003c/code\u003e type filter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eproperty\u003c/code\u003e field in the filter is manipulated to contain SQL injection payloads, such as \u003ccode\u003e1))) UNION SELECT password FROM users WHERE ((1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s \u003ccode\u003esrc/Controller/Admin/TranslationController.php\u003c/code\u003e processes the request, extracting the malicious \u003ccode\u003eproperty\u003c/code\u003e value at line 565.\u003c/li\u003e\n\u003cli\u003eThe inadequate sanitization \u003ccode\u003estr_replace('--', '', $fieldname)\u003c/code\u003e at line 569 is bypassed using techniques like comment injection (\u003ccode\u003e/**/\u003c/code\u003e) or redundant dashes (\u003ccode\u003e----\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAt line 593, the unsanitized \u003ccode\u003e$fieldname\u003c/code\u003e is interpolated into a SQL expression: \u003ccode\u003eUNIX_TIMESTAMP(DATE(FROM_UNIXTIME({$fieldname})))\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application executes the crafted SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the results of the SQL injection, potentially including sensitive data. Chaining with GM-249 allows for RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-44741) can lead to unauthorized data extraction from the Pimcore database by an attacker with translation view permissions. The combination of this SQL injection with the GM-249 unsafe unserialize vulnerability can lead to full remote code execution. The vulnerability affects \u003ccode\u003epimcore/admin-ui-classic-bundle\u003c/code\u003e version 2.3.5 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch or upgrade to a version of \u003ccode\u003epimcore/admin-ui-classic-bundle\u003c/code\u003e greater than 2.3.5 to remediate CVE-2026-44741.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003eproperty\u003c/code\u003e field in the translation grid date filter to only allow expected column names, as suggested in the provided fix (see \u0026ldquo;Suggested Fix\u0026rdquo; section in content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-44741 Exploitation Attempt — Pimcore Translation Grid SQL Injection\u0026rdquo; to detect potential exploitation attempts (see \u0026ldquo;rules\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/admin/translation/translations\u003c/code\u003e with suspicious characters or SQL syntax in the \u003ccode\u003efilter\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T00:37:38Z","date_published":"2026-05-27T00:37:38Z","id":"https://feed.craftedsignal.io/briefs/2026-05-pimcore-sqli/","summary":"The Pimcore admin-ui-classic-bundle is vulnerable to SQL injection via the translation grid date filter; the user-supplied `property` field from the filter JSON is interpolated directly into a SQL expression without proper sanitization or validation, potentially leading to arbitrary database data extraction and remote code execution when chained with other vulnerabilities.","title":"Pimcore Admin Classic Bundle SQL Injection Vulnerability in Translation Grid Date Filter","url":"https://feed.craftedsignal.io/briefs/2026-05-pimcore-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Pimcore","version":"https://jsonfeed.org/version/1.1"}