CVE-2026-23959

Summary

CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the CustomerTransformerController within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
coreshopCoreShop< 4.1.9affected

Weaknesses

  • CWE-564: CWE-564: SQL Injection: Hibernate

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References