Time-Based Blind SQL Injection in Pimcore Studio Backend Bundle
CVE-2026-55208

7.7HIGH

Key Information:

Vendor

Pimcore

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-55208?

The Pimcore Studio Backend Bundle before versions 2025.4.6 and 2026.1.6 is susceptible to a time-based blind SQL injection vulnerability. Authenticated users can exploit this flaw via the DateFilter column key parameter to extract sensitive information, including the admin password hash and database content. This security issue arises from the improper handling of SQL queries, where user input from the columnFilters array is directly interpolated into SQL statements without adequate sanitization. As a result, an attacker can manipulate the SQL query structure using backtick characters, enabling the execution of arbitrary SQL subqueries such as SLEEP() and IF(), which can adversely impact the confidentiality and integrity of the underlying database.

Affected Version(s)

pimcore >= 2026.1.0, < 2026.1.6 < 2026.1.0, 2026.1.6

pimcore < 2025.4.6 < 2025.4.6

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.