{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23959", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T14:49:06.313Z", "datePublished": "2026-01-22T01:57:58.566Z", "dateUpdated": "2026-01-22T16:28:21.076Z"}, "containers": {"cna": {"title": "CoreShop Vulnerable to SQL Injection via Admin customer-company-modifier", "problemTypes": [{"descriptions": [{"cweId": "CWE-564", "lang": "en", "description": "CWE-564: SQL Injection: Hibernate", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2"}, {"name": "https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2"}, {"name": "https://github.com/coreshop/CoreShop/releases/tag/4.1.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreshop/CoreShop/releases/tag/4.1.9"}], "affected": [{"vendor": "coreshop", "product": "CoreShop", "versions": [{"version": "< 4.1.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T01:57:58.566Z"}, "descriptions": [{"lang": "en", "value": "CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue."}], "source": {"advisory": "GHSA-fqcv-8859-86x2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T16:24:52.752574Z", "id": "CVE-2026-23959", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T16:28:21.076Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23959", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T16:24:52.752574Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T16:28:03.741Z"}}], "cna": {"title": "CoreShop Vulnerable to SQL Injection via Admin customer-company-modifier", "source": {"advisory": "GHSA-fqcv-8859-86x2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "coreshop", "product": "CoreShop", "versions": [{"status": "affected", "version": "< 4.1.9"}]}], "references": [{"url": "https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2", "name": "https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2", "name": "https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreshop/CoreShop/releases/tag/4.1.9", "name": "https://github.com/coreshop/CoreShop/releases/tag/4.1.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-564", "description": "CWE-564: SQL Injection: Hibernate"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T01:57:58.566Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23959", "state": "PUBLISHED", "dateUpdated": "2026-01-22T16:28:21.076Z", "dateReserved": "2026-01-19T14:49:06.313Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T01:57:58.566Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:coreshop:coreshop:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD4072DD-B1C7-43DE-9201-64819589B281", "versionEndExcluding": "4.1.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue."}], "id": "CVE-2026-23959", "lastModified": "2026-02-17T16:13:17.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-22T03:15:46.233", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/coreshop/CoreShop/releases/tag/4.1.9"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-564"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T03:58:50.266341+00:00", "value": {"mitigation_remediation": ["Upgrade CoreShop to version 4.1.9 or later to apply the vendor fix", "If an upgrade is not immediately feasible, restrict access to the CustomerTransformerController endpoint only to trusted admin accounts and revoke any unauthorized privileges", "Apply rigorous input validation or use prepared statements to ensure that any future code modifications do not interpolate user data directly into SQL queries"], "summary": {"action": "Apply Patch", "impact": "SQL Injection enabling attackers to extract data via the CoreShop admin panel"}, "threat_synthesis": {"affected_systems": "Vendors affected are CoreShop. The issue exists in all CoreShop releases prior to version 4.1.9. Upgrading to 4.1.9 or later eliminates the flaw.", "description_and_impact": "An error-based SQL injection vulnerability was found in the CustomerTransformerController of CoreShop\u2019s admin interface. Unsanitized user input is interpolated into a database query, causing database error disclosure and the potential extraction of sensitive data. The weakness is classified as CWE\u2011564 and exposes confidentiality of customer data when exploited.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.9, indicating a medium severity. The EPSS score is less than 1\u202f%, meaning the likelihood of exploitation at the time of this analysis is low, and the issue is not listed in CISA\u2019s KEV catalog. The likely attack vector is an authenticated administrator using the customer-company-modifier endpoint; the explanation is inferred from the description and typical usage of admin panels."}}}}, "created": "2026-01-22T10:07:55.994333+00:00", "updated": "2026-04-18T04:00:08.424987+00:00", "vendors": ["coreshop", "coreshop$PRODUCT$coreshop"]}