SQL Injection Vulnerability in Pimcore's Custom Reports Bundle
CVE-2026-44739

8.7HIGH

Key Information:

Vendor

Pimcore

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-44739?

Pimcore, an open-source Data & Experience Management Platform, has a vulnerability in its Custom Reports Bundle, specifically through the columnConfigAction endpoint in CustomReportController.php. Attackers possessing the reports_config permission could exploit this flaw to execute arbitrary SELECT queries, employ UNION statements, and utilize error-based SQL injection techniques. This could lead to unauthorized data manipulation or extraction, potentially compromising sensitive database information. The vulnerability has been addressed in later versions 11.5.17 (LTS) and 12.3.6.

Affected Version(s)

pimcore < 11.5.17 < 11.5.17

pimcore >= 12.0.0, < 12.3.6 < 12.0.0, 12.3.6

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.