CVE-2026-23959
📋 TL;DR
An error-based SQL injection vulnerability in CoreShop's admin panel allows attackers to extract database information through crafted requests. This affects CoreShop eCommerce solutions running versions before 4.1.9. Attackers with admin panel access can exploit this to read sensitive data from the database.
💻 Affected Systems
- CoreShop eCommerce solution
📦 What is this software?
Coreshop by Coreshop
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise including customer PII, payment information, admin credentials, and potential privilege escalation to execute arbitrary SQL commands.
Likely Case
Extraction of sensitive data like customer information, order details, and configuration data through error-based SQL injection techniques.
If Mitigated
Limited information disclosure through error messages without full data extraction capabilities.
🎯 Exploit Status
Exploitation requires admin panel access. The vulnerability is error-based SQL injection which is well-understood and relatively easy to exploit with appropriate access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.9
Vendor Advisory: https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2
Restart Required: No
Instructions:
1. Backup your CoreShop installation and database. 2. Update CoreShop to version 4.1.9 or later via composer: 'composer require coreshop/core-shop:^4.1.9'. 3. Clear cache if applicable. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Admin Panel Access
allLimit access to the CoreShop admin panel to trusted IP addresses only
Configure web server (Apache/Nginx) to restrict access to /admin paths to specific IP ranges
WAF Rule Implementation
allDeploy web application firewall rules to detect and block SQL injection attempts
Add SQL injection detection rules to your WAF configuration
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all user inputs in the CustomerTransformerController
- Enable database query logging and monitor for suspicious SQL patterns
🔍 How to Verify
Check if Vulnerable:
Check if your CoreShop version is below 4.1.9 by examining the composer.json file or running 'composer show coreshop/core-shop'Check Version:
composer show coreshop/core-shop | grep versionsVerify Fix Applied:
Confirm version is 4.1.9 or higher and test the affected endpoint with safe test inputs📡 Detection & Monitoring
Log Indicators:
- Unusual database error messages in application logs
- Multiple failed SQL queries from single admin sessions
- Suspicious parameter patterns in admin panel requests
Network Indicators:
- Unusual SQL syntax in HTTP POST parameters to admin endpoints
- Repeated requests to CustomerTransformerController with varying parameters
SIEM Query:
source="application.logs" AND ("SQL error" OR "database error") AND uri_path="/admin/*" AND (parameter="*sql*" OR parameter="*union*" OR parameter="*select*")