VYPR
Moderate severityOSV Advisory· Published Jan 22, 2026· Updated Jan 22, 2026

CoreShop Vulnerable to SQL Injection via Admin customer-company-modifier

CVE-2026-23959

Description

CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the CustomerTransformerController within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
coreshop/core-shopPackagist
< 4.1.94.1.9

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.