[GHSA-vxg3-v4p6-f3fp] Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause

[herbertroth]

Updates

• Affected products

Comments
The GitHub Advisory Database entry is missing the patched version for the 11.x branch. The repository advisory for pimcore/pimcore lists patched versions as 11.5.15 and 12.3.3, while the global advisory currently lists only 12.3.3. Please sync the reviewed advisory to include 11.5.15 as a patched version as well.

[github]

Hi there @astapc! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

This PR updates the GitHub-reviewed advisory for GHSA-vxg3-v4p6-f3fp (Pimcore SQL injection) to reflect the patched release on the 11.x branch, aligning the advisory data with the upstream repository advisory.

Changes:

• Mark 11.5.15 as the fixed version for the 11.x affected range (replacing the prior “last_affected” event).
• Add database_specific.last_known_affected_version_range to preserve the explicit “<= 11.5.14.1” affected bound.
• Update the advisory modified timestamp.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[shelbyc]

Hi @herbertroth, as of this time, there is no version 11.5.15 listed at https://github.com/pimcore/pimcore or https://packagist.org/packages/pimcore/pimcore, so that version isn't included in the CVE record for CVE-2026-27461 or the global GHSA for GHSA-vxg3-v4p6-f3fp. When version 11.5.15 is made available at https://packagist.org/packages/pimcore/pimcore, we can add it to both the CVE record and the global GHSA.