Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause

The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Affected code in models/Dependency/Dao.php: - getFilterRequiresByPath lines 90, 95, 100 -...

GHSA-VXG3-V4P6-F3FP Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause

The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Affected code in models/Dependency/Dao.php: - getFilterRequiresByPath lines 90, 95, 100 -...

CVE-2026-27461 Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause

Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameteriz...

CVE-2026-27461

Summary : Pimcore pre-12.3.3 exposes a SQL-like injection in the dependency listing filter. In versions up to 11.5.14.1 and 12.3.2, the filter query parameter is JSON-decoded and the value is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Impact : With adm...