Home > Vulnerability Database > CVE-2026-23492

Mend.io Vulnerability Database

CVE-2026-23492

Good to know:

Date: January 14, 2026

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14.

Severity Score

8.8

Related Resources (6)

Url: https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23492

Url: https://github.com/advisories/GHSA-6mhm-gcpf-5gr8

Url: https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj

Url: https://github.com/pimcore/pimcore

Url: https://www.mend.io/vulnerability-database/CVE-2026-23492

Severity Score

8.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

Upgrade Version

Upgrade to version https://github.com/pimcore/pimcore.git - v12.3.1;https://github.com/pimcore/pimcore.git - v11.5.14

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23492

Good to know:

Date: January 14, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?