Strix
26.1K

CVE-2026-23492

MEDIUMCVSS 4.9/10EPSS 0.43%

Last modified

CVE-2026-23492 is a medium-severity vulnerability rated 4.9/10 on the CVSS scale. Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. EPSS estimates a 0.43% chance of exploitation in the next 30 days.

Description

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14.

Metrics

CVSS 3.1
4.9/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
0.43%

34.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
PimcorePimcore< 11.5.14
PimcorePimcore>= 12.0.0, < 12.3.1

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-23492?
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14.
How severe is CVE-2026-23492?
CVE-2026-23492 has a CVSS score of 4.9/10 (MEDIUM severity). The EPSS model estimates a 0.43% probability of exploitation in the next 30 days.
How do I fix CVE-2026-23492?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-23492?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST