8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-44741

CVE-2026-44741: Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter

GM-369

Summary

SQL injection in Pimcore's translation grid date filter — the user-supplied property field from the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) SQL expression without parameterization or allowlist validation.

Affected Component

Package: pimcore/admin-ui-classic-bundle
File: src/Controller/Admin/TranslationController.php
Lines: 565 (input), 569 (inadequate sanitization), 593 (injection point)
Endpoint: POST /admin/translation/translations

Description

The translation grid endpoint processes JSON filter parameters. When a filter has type: "date", the property field is extracted and used to construct a SQL expression:

$fieldname = $filter[$propertyField];              // Line 565 — user input
$fieldname = str_replace('--', '', $fieldname);    // Line 569 — trivially bypassable
$fieldname = $tableName . '.' . $fieldname;        // Line 577
$fieldname = "UNIX_TIMESTAMP(DATE(FROM_UNIXTIME({$fieldname})))";  // Line 593 — injection

The str_replace('--', '') sanitization is trivially bypassable (use /**/ comments or ----). In non-language mode, $fieldname is concatenated directly into the SQL condition without quoting or parameterization.

Impact

Authenticated user with translations view permission can extract arbitrary database data via UNION-based or error-based SQL injection. Combined with GM-249 (unsafe unserialize), this enables an SQLi → deserialization → RCE chain.

Proof of Concept

POST /admin/translation/translations
filter=[{"property":"1))) UNION SELECT password FROM users WHERE ((1","type":"date","operator":"eq","value":"2026-01-01"}]

Miggo Vulnerability Database

→

CVE-2026-44741

CVE-2026-44741:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pimcore/admin-ui-classic-bundle	composer	<= 2.3.5	2.3.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic SQL injection flaw within the 'pimcore/admin-ui-classic-bundle'. The analysis of the provided vulnerability description and patch diff points to the translationsAction method in the TranslationController. This method processes filter parameters for the translation grid. When a filter of type 'date' is used, the 'property' parameter from the request's JSON payload is taken and interpolated directly into a SQL expression for a UNIX_TIMESTAMP call. The sanitization in place, str_replace('--', '', $fieldname), is insufficient to prevent SQL injection, as other comment styles (like /**/) or alternative syntax can be used to bypass it. An authenticated user with access to the translation interface can exploit this to execute arbitrary SQL queries, potentially leading to data exfiltration. The provided patch confirms this by replacing the direct string concatenation with a call to $db->quoteIdentifier($fieldname) and adding an allowlist check, which are proper mitigation techniques against this type of injection.

Vulnerable functions

Pimcore\Bundle\AdminClassicBundle\Controller\Admin\TranslationController::translationsAction

src/Controller/Admin/TranslationController.php

The function constructs a SQL query fragment by directly interpolating the user-provided 'property' field from a filter into a string. This field, assigned to the '$fieldname' variable, is not properly sanitized or validated against an allowlist, allowing an attacker to inject arbitrary SQL.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-44741: Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter

GM-369

Summary

Affected Component

Description

Impact

Proof of Concept

CVE-2026-44741:

8.8

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

8.8

8.8

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Technical Details

CVE-2026-44741: Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter

GM-369

Summary

Affected Component

Description

Impact

Proof of Concept

Suggested Fix

References

Suggested Fix

Proposed Fix

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI