Pimcore Platform v12.3.3 Authenticated SQL Injection via Composite Index (CVE-2026-5394)

Pimcore Platform v12.3.3 SQL Injection Vulnerability Summary Vulnerability Overview Vulnerability Name: Pimcore Platform v12.3.3 - DataObject composite index handling SQL Injection Vulnerability Type: SQL Injection Severity: High CVSS Score: 7.0 (CVSS:3.0/AV:N/AC:L/AT:N/PR:H/UI:N/V:C/I:L/A:L/S:C/N/S/N/SAN) CVE ID: CVE-2026-5394 Discoverer: Oscar Naveda (Fluid Attacks AI SAST Scanner) Root Cause: When importing or saving DataObject class definitions, the system accepts data from JSON. During processing of the statement, the backend does not perform strict identifier validation or escaping on the field, directly concatenating it into the SQL statement, allowing attackers to inject malicious SQL code. Impact Scope Affected Systems: Pimcore Platform v12.3.3 Exploitation Conditions: Requires an authenticated administrative user with permission to import or save class definitions. Potential Impacts: Unauthorized modification of object query/storage table schemas. Denial of Service (DoS) of backend services by disrupting the expected table layout. Compromise of data integrity for DataObject storage and queries. Remediation Current Status: There is currently no patch available for this vulnerability. Recommended Measures**: Users should monitor official security updates, or implement strict whitelist validation and identifier escaping for imported JSON data at the application layer. Proof-of-Concept Code (PoC) 1. Malicious JSON Snippet The attacker injects SQL by modifying the field in the JSON: 2. Generated Malicious SQL Statement The above JSON causes the backend to generate the following SQL statement: 3. Vulnerability Trigger Code Path (Source-to-Sink) The vulnerable core code is located in and : Here, is generated via without any escaping or whitelist validation.

Goal Reached Thanks to every supporter — we hit 100%!

Pimcore Platform v12.3.3 Authenticated SQL Injection via Composite Index (CVE-2026-5394)