Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-53nb-8vf3-9ubb
Vulnerability ID VCID-53nb-8vf3-9ubb
Aliases CVE-2026-23492
GHSA-qvr7-7g55-69xj
Summary Pimcore Has an Incomplete Patch for CVE-2023-30848 An **incomplete SQL injection patch** in the Admin Search Find API allows an authenticated attacker to perform **blind SQL injection**. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to **database information disclosure**.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/pimcore/pimcore
https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
CVE-2026-23492 https://nvd.nist.gov/vuln/detail/CVE-2026-23492
GHSA-6mhm-gcpf-5gr8 https://github.com/advisories/GHSA-6mhm-gcpf-5gr8
GHSA-qvr7-7g55-69xj https://github.com/advisories/GHSA-qvr7-7g55-69xj
GHSA-qvr7-7g55-69xj https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:49:31.709908+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pimcore/pimcore/CVE-2026-23492.yml 38.6.0