Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ha34-7pm3-pqgm
Vulnerability ID VCID-ha34-7pm3-pqgm
Aliases CVE-2026-23492
GHSA-qvr7-7g55-69xj
Summary Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 4e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-23492
epss 5e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-23492
cvssv3.1 8.8 https://github.com/advisories/GHSA-6mhm-gcpf-5gr8
generic_textual HIGH https://github.com/advisories/GHSA-6mhm-gcpf-5gr8
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-qvr7-7g55-69xj
cvssv3.1 8.8 https://github.com/pimcore/pimcore
generic_textual HIGH https://github.com/pimcore/pimcore
cvssv3.1 8.8 https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
generic_textual HIGH https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
ssvc Track* https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
cvssv3.1 8.8 https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
cvssv3.1_qr HIGH https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
generic_textual HIGH https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
ssvc Track* https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2026-23492
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-23492
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-23492
25ad8674886f2b938243cbe13e33e204a2e35cc3 https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
CVE-2026-23492 https://nvd.nist.gov/vuln/detail/CVE-2026-23492
GHSA-6mhm-gcpf-5gr8 https://github.com/advisories/GHSA-6mhm-gcpf-5gr8
GHSA-qvr7-7g55-69xj https://github.com/advisories/GHSA-qvr7-7g55-69xj
GHSA-qvr7-7g55-69xj https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/advisories/GHSA-6mhm-gcpf-5gr8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pimcore/pimcore
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-01-14T21:14:38Z/ Found at https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-01-14T21:14:38Z/ Found at https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-23492
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0015
EPSS Score 4e-05
Published At June 12, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:41:54.491652+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/23xxx/CVE-2026-23492.json 38.6.0