Time-Based Blind SQL Injection in Pimcore Studio Backend Bundle
CVE-2026-55208
What is CVE-2026-55208?
The Pimcore Studio Backend Bundle before versions 2025.4.6 and 2026.1.6 is susceptible to a time-based blind SQL injection vulnerability. Authenticated users can exploit this flaw via the DateFilter column key parameter to extract sensitive information, including the admin password hash and database content. This security issue arises from the improper handling of SQL queries, where user input from the columnFilters array is directly interpolated into SQL statements without adequate sanitization. As a result, an attacker can manipulate the SQL query structure using backtick characters, enabling the execution of arbitrary SQL subqueries such as SLEEP() and IF(), which can adversely impact the confidentiality and integrity of the underlying database.
Affected Version(s)
pimcore >= 2026.1.0, < 2026.1.6 < 2026.1.0, 2026.1.6
pimcore < 2025.4.6 < 2025.4.6