112 matches found
CVE-2026-44739
Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction,...
CVE-2026-45704 Pimcore: CustomReports Share Bypass
Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and...
CVE-2026-44739 Pimcore: SQL Injection in Custom Reports Column Configuration
Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction,...
CVE-2026-44739
CVE-2026-44739 (Pimcore) : SQL injection in the columnConfigAction flow of CustomReportsBundle enables an attacker with the reports_config permission to inject and execute arbitrary SELECT/UNION queries and leverage error-based exfiltration. Affected versions are prior to 11.5.17 (LTS) and 12.3.6...
Vulnerabilities are being addressed in the Progress MOVEit Transfer process.
Progress has addressed vulnerabilities in MOVEit Transfer, specifically in the Custom Reports module and the Ad Hoc module. These vulnerabilities affect multiple versions of MOVEit Transfer, including 25.0.0 to 25.0.7, 25.1.0 to 25.1.3, and 26.0.0 just before 26.0.1. One vulnerability in the Cust...
Progress MOVEit Transfer < 2025.0.8 / 2025.1.0 < 2025.1.4 / 2026.0.0 < 2026.0.1 Multiple Vulnerabilities
The version of Progress MOVEit Transfer installed on the remote host is prior to 2025.0.8, 2025.1.x prior to 2025.1.4, or 2026.0.x prior to 2026.0.1. It is, therefore, affected by multiple vulnerabilities: - Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress...
CVE-2026-8649
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3...
CVE-2026-8649 Institution scope bypass vulnerability in custom reports
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3...
EUVD-2026-42370
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3...
CVE-2026-8649
Summary of CVE-2026-8649 : An instance of Improper Neutralization of Special Elements in Data Query Logic affects MOVEit Transfer (Custom Reports modules). The issue impacts MOVEit Transfer versions prior to 2025.0.7 and from 2025.1.0 up to before 2025.1.3. The CVSS vectors indicate a high-severi...
CVE-2026-10698
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1...
CVE-2026-10699
Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1...
EUVD-2026-42279
Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1...
CVE-2026-10699
CVE-2026-10699 affects Progress MOVEit Transfer (Custom Reports modules) with a memory leak caused by missing release of memory after its effective lifetime. Affects MOVEit Transfer versions: 2025.0.0–before 2025.0.8, 2025.1.0–before 2025.1.4, and 2026.0.0–before 2026.0.1. The issue can lead to d...
CVE-2026-10698 Table scope bypass vulnerability in custom reports
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1...
CVE-2026-10698
CVE-2026-10698 is an Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer, specifically affecting the Custom Reports module . Affected versions are MOVEit Transfer 2025.0.0–before 2025.0.8, 2025.1.0–before 2025.1.4, and 2026.0.0–before 2026.0.1...
EUVD-2026-42278
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1...
PT-2026-56453
Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1...
PT-2026-56452
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1...
Pimcore has a CustomReports Share Bypass
Summary CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint. - The listing flow filters reports based on report-sharing rules - The detail flow only checks generic reports or reportsconfig permissions As a result, a low-privileged backe...