EXECUTIVE SUMMARY:
CVE-2026-5394 with a CVSS score of 7.5 is a SQL injection vulnerability affecting the Pimcore Platform (composer/pimcore/pimcore) in all releases up to and including 12.3.6, including version 12.3.3. The flaw arises because the class‑definition import routine accepts a JSON field named `compositeIndices` and stores its contents without proper sanitisation; later the code concatenates the supplied `index_columns` directly into an `ALTER TABLE … ADD INDEX` statement executed via Doctrine DBAL. An attacker who has administrative access to the Pimcore backend and can import or save a DataObject class definition can craft a malicious JSON payload that injects additional DDL clauses—such as dropping columns or adding unintended indexes—by embedding payloads like `slider), DROP COLUMN \`oo_className\` --` into the `index_columns` element. Exploitation requires only authenticated admin rights, no special network access, and works through the standard import UI or API. Successful exploitation grants the attacker the ability to modify the schema of object query/store tables, leading to data loss, integrity violations, or denial‑of‑service conditions that can disrupt business operations and compromise downstream applications that rely on the altered data structures. The attack is contingent on the presence of the vulnerable import feature and the lack of input validation for composite index metadata.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-5394 with a CVSS score of 7.5 is a SQL injection vulnerability affecting the Pimcore Platform (composer/pimcore/pimcore) in all releases up to and including 12.3.6, including version 12.3.3. The flaw arises because the class‑definition import routine accepts a JSON field named `compositeIndices` and stores its contents without proper sanitisation; later the code concatenates the supplied `index_columns` directly into an `ALTER TABLE … ADD INDEX` statement executed via Doctrine DBAL. An attacker who has administrative access to the Pimcore backend and can import or save a DataObject class definition can craft a malicious JSON payload that injects additional DDL clauses—such as dropping columns or adding unintended indexes—by embedding payloads like `slider), DROP COLUMN \`oo_className\` --` into the `index_columns` element. Exploitation requires only authenticated admin rights, no special network access, and works through the standard import UI or API. Successful exploitation grants the attacker the ability to modify the schema of object query/store tables, leading to data loss, integrity violations, or denial‑of‑service conditions that can disrupt business operations and compromise downstream applications that rely on the altered data structures. The attack is contingent on the presence of the vulnerable import feature and the lack of input validation for composite index metadata.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-r2f4-ff2p-xc64