CVE-2026-44741: Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter…

GM-369 Summary SQL injection in Pimcore's translation grid date filter — the user-supplied property field from the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) SQL expression with…

8.8CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-44741
Vendor	composer
Affected Product	pimcore/admin-ui-classic-bundle
Vulnerability Type	Vulnerability
CVSS Score	8.8 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

GM-369

Summary

SQL injection in Pimcore's translation grid date filter — the user-supplied property field from the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) SQL expression without parameterization or allowlist validation.

Affected Component

• Package: pimcore/admin-ui-classic-bundle

• File: src/Controller/Admin/TranslationController.php

• Lines: 565 (input), 569 (inadequate sanitization), 593 (injection point)

• Endpoint: POST /admin/translation/translations

Description

The translation grid endpoint processes JSON filter parameters. When a filter has type: "date", the property field is extracted and used to construct a SQL expression: ```php $fieldname = $filter[$propertyField]; // Line 565 — user input $fi

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-44741 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →