CVE-2026-22242 MEDIUM

CVE-2026-22242: CoreShop Vulnerable to SQL Injection via Admin Reports

Vendor Coreshop
Product CoreShop
Weakness CWE-564
Published January 8, 2026
Last update January 8, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.

Key dates

02Disclosure timeline

January 8, 2026 CVE published
January 8, 2026 Record updated