Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN213
_____________________________________________________________________

DATE                : 25/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running pimcore (Composer) versions prior
                                 to 11.5.15 12.3.3.

=====================================================================
https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp
_____________________________________________________________________

SQL injection via unsanitized filter value in Dependency Dao RLIKE
clause

High
astapc published GHSA-vxg3-v4p6-f3fp Feb 23, 2026

Package
pimcore/pimcore (Composer)

Affected versions
<= 11.5.14 <= 12.3.2

Patched versions
11.5.15 12.3.3


Description

The filter query parameter in the dependency listing endpoints is
JSON-decoded and the value field is concatenated directly into RLIKE
clauses without sanitization or parameterized queries.

Affected code in models/Dependency/Dao.php:

    getFilterRequiresByPath() lines 90, 95, 100
    getFilterRequiredByPath() lines 148, 153, 158

All 6 locations use direct string concatenation like:

"AND LOWER(CONCAT(o.path, o.key)) RLIKE '".$value."'"

Note that $orderBy and $orderDirection in the same methods
(lines 75-81) ARE properly whitelist-validated, but $value has zero
sanitization.

Entry points (pimcore/admin-ui-classic-bundle ElementController.php):

    GET /admin/element/get-requires-dependencies (line 654)
    GET /admin/element/get-required-by-dependencies (line 714)

The controller JSON-decodes the filter query param and passes
$filter['value'] straight to the Dao without any escaping.


PoC (time-based blind):

GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{"type":"string","value":"x' OR SLEEP(5)#"}]

If vulnerable, the response is delayed by ~15 seconds
(SLEEP runs 3 times, once per UNION arm in the inner subquery).


PoC (error-based extraction):

GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{"type":"string","value":"x' OR extractvalue(1,concat(0x7e,(SELECT version())))#"}]

Returns the MySQL version string in the error response.

Requires admin authentication. An attacker with admin panel
access can extract the full database including password hashes
of other admin users.


Severity
High

CVE ID
CVE-2026-27461

Weaknesses
Weakness CWE-89


Credits

    @q1uf3ng q1uf3ng Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================