SQL Injection Vulnerability in Pimcore's Custom Reports Bundle
CVE-2026-44739
8.7HIGH
What is CVE-2026-44739?
Pimcore, an open-source Data & Experience Management Platform, has a vulnerability in its Custom Reports Bundle, specifically through the columnConfigAction endpoint in CustomReportController.php. Attackers possessing the reports_config permission could exploit this flaw to execute arbitrary SELECT queries, employ UNION statements, and utilize error-based SQL injection techniques. This could lead to unauthorized data manipulation or extraction, potentially compromising sensitive database information. The vulnerability has been addressed in later versions 11.5.17 (LTS) and 12.3.6.
Affected Version(s)
pimcore < 11.5.17 < 11.5.17
pimcore >= 12.0.0, < 12.3.6 < 12.0.0, 12.3.6