CVE-2026-22242

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.9 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.

Vulnerability Details

Published Date

January 08, 2026

Last Modified

January 12, 2026

CWE ID

CWE-564

Source

NVD

Vendor

coreshop

Product

coreshop

External References

https://github.com/coreshop/CoreShop/commit/59e84fec59d113952b6d28a9b30c6317f9e6e5dd
https://github.com/coreshop/CoreShop/security/advisories/GHSA-ch7p-mpv4-4vg4
https://github.com/coreshop/CoreShop/security/advisories/GHSA-ch7p-mpv4-4vg4

CVE-2026-22242

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment