CVE-2026-23959

MEDIUM SEVERITY

Vulnerability Description

CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue.

Vulnerability Details

Published Date

January 21, 2026

Last Modified

January 26, 2026

CWE ID

CWE-564

Source

GitHub

Vendor

composer

Product

coreshop/core-shop

External References

https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2
https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2
https://github.com/coreshop/CoreShop/releases/tag/4.1.9
https://nvd.nist.gov/vuln/detail/CVE-2026-23959
https://github.com/advisories/GHSA-fqcv-8859-86x2

CVE-2026-23959

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment