CVE-2026-27461: Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause
The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries.
Affected code in models/Dependency/Dao.php:
- getFilterRequiresByPath() lines 90, 95, 100
- getFilterRequiredByPath() lines 148, 153, 158
All 6 locations use direct string concatenation like:
“AND LOWER(CONCAT(o.path, o.key)) RLIKE ‘”.$value."’"
Note that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly whitelist-validated, but $value has zero sanitization.
Entry points (pimcore/admin-ui-classic-bundle ElementController.php):
- GET /admin/element/get-requires-dependencies (line 654)
- GET /admin/element/get-required-by-dependencies (line 714)
The controller JSON-decodes the filter query param and passes $filter[‘value’] straight to the Dao without any escaping.
PoC (time-based blind):
References
- github.com/advisories/GHSA-vxg3-v4p6-f3fp
- github.com/pimcore/pimcore
- github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4
- github.com/pimcore/pimcore/pull/18991
- github.com/pimcore/pimcore/releases/tag/v12.3.3
- github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp
- nvd.nist.gov/vuln/detail/CVE-2026-27461
Code Behaviors & Features
Detect and mitigate CVE-2026-27461 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →