CVE-2025-27617: 
PHP vulnerability analysis and mitigation

Pimcore, an open source data and experience management platform, was found to contain a SQL injection vulnerability (CVE-2025-27617) that affects versions prior to 11.5.4. The vulnerability was discovered and disclosed on March 11, 2025, allowing authenticated users to craft a filter string that could be used to cause SQL injection (GitHub Advisory).

The vulnerability exists in the getRelationFilterCondition function within the RelationFilterConditionParser.php file. The function failed to properly sanitize user input when handling filter strings, allowing for potential SQL injection attacks. The issue was specifically related to improper input validation in the code that processes filter conditions (GitHub Code). The vulnerability has been assigned a CVSS v4.0 score of 6.3 (Medium) with the vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U (NVD).

The vulnerability allows authenticated users to perform SQL injection attacks through crafted filter strings. This could potentially lead to unauthorized access to database contents, data manipulation, or exposure of sensitive information (GitHub Advisory).

The vulnerability has been fixed in Pimcore version 11.5.4. Users are strongly advised to upgrade to this version or later to address the security issue. The fix includes proper input sanitization and the use of parameterized queries (GitHub Advisory).