CVE-2026-44741: Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter
SQL injection in Pimcore’s translation grid date filter — the user-supplied property field from the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) SQL expression without parameterization or allowlist validation.
References
- github.com/advisories/GHSA-h4ph-crvj-9h92
- github.com/pimcore/admin-ui-classic-bundle/commit/80e57a23d9e19574eddfe9b08e8f26785b2b0d90
- github.com/pimcore/admin-ui-classic-bundle/pull/1111
- github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.3.6
- github.com/pimcore/pimcore/security/advisories/GHSA-h4ph-crvj-9h92
- nvd.nist.gov/vuln/detail/CVE-2026-44741
Code Behaviors & Features
Detect and mitigate CVE-2026-44741 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →