Packagist (Composer) package
coreshop/core-shop
pkg:composer/coreshop/core-shop
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41249 | Hig | 8.2 | — | — | Jun 4, 2026 | CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ git | |
| CVE-2026-23959 | — | < 4.1.9 | 4.1.9 | Jan 22, 2026 | CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a | ||
| CVE-2026-22242 | — | < 4.1.8 | 4.1.8 | Jan 8, 2026 | CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database a |
CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ git
- CVE-2026-23959Jan 22, 2026affected < 4.1.9fixed 4.1.9
CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a
- CVE-2026-22242Jan 8, 2026affected < 4.1.8fixed 4.1.8
CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database a