Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    328 vulnerabilities by Pimcore

    CVE-2026-45704 (GCVE-0-2026-45704)

    Vulnerability from nvd – Published: 2026-07-17 19:12 – Updated: 2026-07-17 19:12
    VLAI
    Title
    Pimcore: CustomReports Share Bypass
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and bundles/CustomReportsBundle/src/Tool/Config/Listing/Dao.php, allowing a low-privileged backend user with the reports permission to directly request an unshared report such as poc-secret-report by name and read report name, grouping information, display and icon metadata, data source configuration, column configuration, and sharing settings even when shareGlobally is false. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: < 11.5.17
    Affected: >= 12.0.0, < 12.3.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 11.5.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and bundles/CustomReportsBundle/src/Tool/Config/Listing/Dao.php, allowing a low-privileged backend user with the reports permission to directly request an unshared report such as poc-secret-report by name and read report name, grouping information, display and icon metadata, data source configuration, column configuration, and sharing settings even when shareGlobally is false. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T19:12:50.888Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-jwcc-gv4m-93x6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-jwcc-gv4m-93x6"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/19099",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/19099"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/1893ff1cd116e442b995ddf17e8c6e0aa372268e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/1893ff1cd116e442b995ddf17e8c6e0aa372268e"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.6"
            }
          ],
          "source": {
            "advisory": "GHSA-jwcc-gv4m-93x6",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: CustomReports Share Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45704",
        "datePublished": "2026-07-17T19:12:50.888Z",
        "dateReserved": "2026-05-13T04:38:01.165Z",
        "dateUpdated": "2026-07-17T19:12:50.888Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45260 (GCVE-0-2026-45260)

    Vulnerability from nvd – Published: 2026-07-17 19:08 – Updated: 2026-07-17 19:08
    VLAI
    Title
    Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and models/Asset/WebDAV/Tree.php performs asset mutation and deletion through models/Asset.php before checking a current Pimcore user or the rename, delete, create, or publish permissions, allowing unauthorized asset deletion, moves, or overwrites. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: < 11.5.17
    Affected: >= 12.0.0, < 12.3.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 11.5.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, Pimcore\u0027s WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and models/Asset/WebDAV/Tree.php performs asset mutation and deletion through models/Asset.php before checking a current Pimcore user or the rename, delete, create, or publish permissions, allowing unauthorized asset deletion, moves, or overwrites. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T19:08:38.869Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/19120",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/19120"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/9d7c77fd9b19fa011ce470de95d4438e65007d99",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/9d7c77fd9b19fa011ce470de95d4438e65007d99"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
            }
          ],
          "source": {
            "advisory": "GHSA-wc7j-g8wx-m2qx",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45260",
        "datePublished": "2026-07-17T19:08:38.869Z",
        "dateReserved": "2026-05-11T18:41:13.155Z",
        "dateUpdated": "2026-07-17T19:08:38.869Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44739 (GCVE-0-2026-44739)

    Vulnerability from nvd – Published: 2026-07-17 19:10 – Updated: 2026-07-17 23:15
    VLAI
    Title
    Pimcore: SQL Injection in Custom Reports Column Configuration
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction, SqlAdapter::getColumns, SqlAdapter::buildQueryString, and Db::fetchAssociative(), allowing an attacker with the reports_config permission to use arbitrary SELECT queries, UNION statements, dangerous database functions, and error-based SQL injection to exfiltrate or manipulate database data. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: < 11.5.17
    Affected: >= 12.0.0, < 12.3.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44739",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-17T21:31:37.964266Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-17T23:15:23.395Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-3234-gxc3-pq6f"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 11.5.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction, SqlAdapter::getColumns, SqlAdapter::buildQueryString, and Db::fetchAssociative(), allowing an attacker with the reports_config permission to use arbitrary SELECT queries, UNION statements, dangerous database functions, and error-based SQL injection to exfiltrate or manipulate database data. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T19:10:10.107Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-3234-gxc3-pq6f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-3234-gxc3-pq6f"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/19098",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/19098"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/3fd7733464f464e58ffa49ed91550c1a3f9535f2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/3fd7733464f464e58ffa49ed91550c1a3f9535f2"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.6"
            }
          ],
          "source": {
            "advisory": "GHSA-3234-gxc3-pq6f",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: SQL Injection in Custom Reports Column Configuration"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44739",
        "datePublished": "2026-07-17T19:10:10.107Z",
        "dateReserved": "2026-05-07T18:04:17.310Z",
        "dateUpdated": "2026-07-17T23:15:23.395Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45703 (GCVE-0-2026-45703)

    Vulnerability from nvd – Published: 2026-07-17 18:52 – Updated: 2026-07-17 19:22
    VLAI
    Title
    Pimcore: WordExport Authorization Bypass for Unauthorized Document Export
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, the WordExport export flow in bundles/WordExportBundle/src/Controller/TranslationController.php only checks the word_export feature permission and directly resolves attacker-controlled type/id input without enforcing view permission on page, snippet, email, or object elements, allowing a low-privileged backend user to export document content the user is not allowed to view. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: < 11.5.17
    Affected: >= 12.0.0, < 12.3.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45703",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-17T19:22:43.100980Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-17T19:22:48.025Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 11.5.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, the WordExport export flow in bundles/WordExportBundle/src/Controller/TranslationController.php only checks the word_export feature permission and directly resolves attacker-controlled type/id input without enforcing view permission on page, snippet, email, or object elements, allowing a low-privileged backend user to export document content the user is not allowed to view. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T18:52:44.530Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
            }
          ],
          "source": {
            "advisory": "GHSA-332x-r494-54fq",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: WordExport Authorization Bypass for Unauthorized Document Export"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45703",
        "datePublished": "2026-07-17T18:52:44.530Z",
        "dateReserved": "2026-05-13T04:38:01.165Z",
        "dateUpdated": "2026-07-17T19:22:48.025Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45162 (GCVE-0-2026-45162)

    Vulnerability from nvd – Published: 2026-07-17 18:50 – Updated: 2026-07-17 23:15
    VLAI
    Title
    Pimcore: Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, multiple Pimcore locations call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, including lib/Tool/Authentication.php, models/Site/Dao.php, models/DataObject/ClassDefinition/CustomLayout/Dao.php, models/Tool/TmpStore/Dao.php, models/Asset/WebDAV/Service.php, and admin-ui-classic-bundle/src/Helper/Dashboard.php, enabling object injection and remote code execution if an attacker can control the serialized data source. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: < 11.5.17
    Affected: >= 12.0.0, < 12.3.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45162",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-17T20:17:24.872137Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-17T23:15:31.060Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 11.5.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, multiple Pimcore locations call PHP\u0027s unserialize() on data from database columns and filesystem files without the allowed_classes restriction, including lib/Tool/Authentication.php, models/Site/Dao.php, models/DataObject/ClassDefinition/CustomLayout/Dao.php, models/Tool/TmpStore/Dao.php, models/Asset/WebDAV/Service.php, and admin-ui-classic-bundle/src/Helper/Dashboard.php, enabling object injection and remote code execution if an attacker can control the serialized data source. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T18:50:19.924Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-36fc-7wjg-mfvj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-36fc-7wjg-mfvj"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/19119",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/19119"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/4788bf3a3a7f2f760a8fe61e522565941e154e1e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/4788bf3a3a7f2f760a8fe61e522565941e154e1e"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
            }
          ],
          "source": {
            "advisory": "GHSA-36fc-7wjg-mfvj",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45162",
        "datePublished": "2026-07-17T18:50:19.924Z",
        "dateReserved": "2026-05-08T20:44:38.965Z",
        "dateUpdated": "2026-07-17T23:15:31.060Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55212 (GCVE-0-2026-55212)

    Vulnerability from nvd – Published: 2026-07-09 20:53 – Updated: 2026-07-10 20:32
    VLAI
    Title
    Pimcore: Insufficient Permission Check on Class Definition Creation Endpoint Allows Privilege Escalation
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, the Studio API class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create is guarded by the objects permission instead of the classes permission, allowing a standard editor-level user to create class definitions without admin privileges. Class definition creation generates new database tables and PHP class files on the server, and missing API-layer UID format validation allows malformed UIDs to reach model-layer validation and return internal exceptions. This issue is fixed in versions 2025.4.6 and 2026.1.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 2026.1.0, < 2026.1.6
    Affected: < 2025.4.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55212",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T19:11:51.488115Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:32:10.057Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-f97c-ph8j-8vff"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2026.1.0, \u003c 2026.1.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2025.4.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, the Studio API class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create is guarded by the objects permission instead of the classes permission, allowing a standard editor-level user to create class definitions without admin privileges. Class definition creation generates new database tables and PHP class files on the server, and missing API-layer UID format validation allows malformed UIDs to reach model-layer validation and return internal exceptions. This issue is fixed in versions 2025.4.6 and 2026.1.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T20:53:36.900Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-f97c-ph8j-8vff",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-f97c-ph8j-8vff"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/pull/1886",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/pull/1886"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/commit/d1a4788c0f159c360d550c34256c8abbbd633ae0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/commit/d1a4788c0f159c360d550c34256c8abbbd633ae0"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6"
            }
          ],
          "source": {
            "advisory": "GHSA-f97c-ph8j-8vff",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: Insufficient Permission Check on Class Definition Creation Endpoint Allows Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55212",
        "datePublished": "2026-07-09T20:53:36.900Z",
        "dateReserved": "2026-06-16T16:16:32.627Z",
        "dateUpdated": "2026-07-10T20:32:10.057Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55208 (GCVE-0-2026-55208)

    Vulnerability from nvd – Published: 2026-07-09 20:57 – Updated: 2026-07-10 13:51
    VLAI
    Title
    Pimcore: SQL Injection via Column Name in DateFilter allows authenticated user to extract arbitrary database data including admin password hashes
    Summary
    Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints accept a columnFilters array where the key field is interpolated directly into SQL with manual backtick wrapping, allowing a backtick character to break out of quoting and append arbitrary SQL such as SLEEP() and IF() subqueries. This issue is fixed in versions 2025.4.6 and 2026.1.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 2026.1.0, < 2026.1.6
    Affected: < 2025.4.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55208",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T13:51:49.735662Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T13:51:59.895Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-79cw-hfcc-7mw9"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2026.1.0, \u003c 2026.1.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2025.4.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints accept a columnFilters array where the key field is interpolated directly into SQL with manual backtick wrapping, allowing a backtick character to break out of quoting and append arbitrary SQL such as SLEEP() and IF() subqueries. This issue is fixed in versions 2025.4.6 and 2026.1.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T20:57:53.346Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-79cw-hfcc-7mw9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-79cw-hfcc-7mw9"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/pull/1883",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/pull/1883"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/commit/f532428cfbf4f5d6e299a13cedd5c29541802552",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/commit/f532428cfbf4f5d6e299a13cedd5c29541802552"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6"
            }
          ],
          "source": {
            "advisory": "GHSA-79cw-hfcc-7mw9",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: SQL Injection via Column Name in DateFilter allows authenticated user to extract arbitrary database data including admin password hashes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55208",
        "datePublished": "2026-07-09T20:57:53.346Z",
        "dateReserved": "2026-06-16T16:16:32.627Z",
        "dateUpdated": "2026-07-10T13:51:59.895Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55207 (GCVE-0-2026-55207)

    Vulnerability from nvd – Published: 2026-07-09 21:02 – Updated: 2026-07-10 13:34
    VLAI
    Title
    Pimcore: Account Takeover via Password Reset URL Injection allows unauthenticated attacker to hijack any admin account with 2FA bypass
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account by sending a password reset request with an attacker-controlled resetPasswordUrl. The server generates a real cryptographic recovery token, appends it to the supplied URL, and emails the link to the victim; when the victim clicks the link, the token is sent to the attacker and can be used with POST /pimcore-studio/api/login/token to authenticate with full admin privileges while bypassing two-factor authentication. This issue is fixed in versions 2025.4.6 and 2026.1.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 2026.1.0, < 2026.1.6
    Affected: < 2025.4.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55207",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T13:34:00.598927Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T13:34:28.607Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-h854-c3m3-mh5v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2026.1.0, \u003c 2026.1.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2025.4.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account by sending a password reset request with an attacker-controlled resetPasswordUrl. The server generates a real cryptographic recovery token, appends it to the supplied URL, and emails the link to the victim; when the victim clicks the link, the token is sent to the attacker and can be used with POST /pimcore-studio/api/login/token to authenticate with full admin privileges while bypassing two-factor authentication. This issue is fixed in versions 2025.4.6 and 2026.1.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-640",
                  "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T21:02:02.733Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-h854-c3m3-mh5v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-h854-c3m3-mh5v"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/pull/1882",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/pull/1882"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/commit/ea9d329686f5e5aea2eec378d63ac2deb965bb27",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/commit/ea9d329686f5e5aea2eec378d63ac2deb965bb27"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6"
            }
          ],
          "source": {
            "advisory": "GHSA-h854-c3m3-mh5v",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: Account Takeover via Password Reset URL Injection allows unauthenticated attacker to hijack any admin account with 2FA bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55207",
        "datePublished": "2026-07-09T21:02:02.733Z",
        "dateReserved": "2026-06-16T16:16:32.627Z",
        "dateUpdated": "2026-07-10T13:34:28.607Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5362 (GCVE-0-2026-5362)

    Vulnerability from nvd – Published: 2026-04-27 20:16 – Updated: 2026-04-28 14:36
    VLAI
    Title
    Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering
    Summary
    An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: v12.3.3
    Create a notification for this product.
    Credits
    Oscar Naveda Fluid Attacks' AI SAST Scanner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T13:33:41.603332Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T14:36:06.112Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "v12.3.3"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Naveda"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document \u003ccode\u003eembed\u003c/code\u003e editable and cause script execution when the published page is rendered.\u003c/p\u003e\u003cp\u003eThis issue affects pimcore: v12.3.3.\u003c/p\u003e"
                }
              ],
              "value": "An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered.\n\nThis issue affects pimcore: v12.3.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-27T20:16:01.154Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/mago"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/pimcore/pimcore/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-5362",
        "datePublished": "2026-04-27T20:16:01.154Z",
        "dateReserved": "2026-04-01T17:29:08.324Z",
        "dateUpdated": "2026-04-28T14:36:06.112Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5394 (GCVE-0-2026-5394)

    Vulnerability from nvd – Published: 2026-04-27 19:15 – Updated: 2026-05-05 17:17
    VLAI
    Title
    Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling
    Summary
    An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: 12.3.3
    Create a notification for this product.
    Credits
    Oscar Naveda Fluid Attacks' AI SAST Scanner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T13:21:06.925647Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T14:36:35.902Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "12.3.3"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Naveda"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.\u003c/p\u003e\u003cp\u003eThis issue affects pimcore: 12.3.3.\u003c/p\u003e"
                }
              ],
              "value": "An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.\n\nThis issue affects pimcore: 12.3.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-7 Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T17:17:45.826Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/dragons"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/pimcore/pimcore"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/19108"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-5394",
        "datePublished": "2026-04-27T19:15:04.496Z",
        "dateReserved": "2026-04-01T23:34:42.722Z",
        "dateUpdated": "2026-05-05T17:17:45.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-27461 (GCVE-0-2026-27461)

    Vulnerability from nvd – Published: 2026-02-24 02:50 – Updated: 2026-02-24 18:58
    VLAI
    Title
    Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: <= 11.5.14.1
    Affected: >= 12.0.0, < 12.3.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-27461",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-24T18:56:21.259584Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-24T18:58:07.625Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 11.5.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T02:50:48.287Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/18991",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/18991"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.3"
            }
          ],
          "source": {
            "advisory": "GHSA-vxg3-v4p6-f3fp",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-27461",
        "datePublished": "2026-02-24T02:50:48.287Z",
        "dateReserved": "2026-02-19T17:25:31.100Z",
        "dateUpdated": "2026-02-24T18:58:07.625Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23496 (GCVE-0-2026-23496)

    Vulnerability from nvd – Published: 2026-01-15 16:58 – Updated: 2026-01-15 18:26
    VLAI
    Title
    Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization
    Summary
    Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 6.0.0-RC1, < 6.1.1
    Affected: < 5.2.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23496",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T18:05:26.888302Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T18:26:33.948Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-RC1, \u003c 6.1.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 5.2.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing \"Favourite Output Channel Configurations.\" Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T18:13:52.619Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r"
            },
            {
              "name": "https://github.com/pimcore/web2print-tools/pull/108",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/web2print-tools/pull/108"
            },
            {
              "name": "https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1"
            },
            {
              "name": "https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2"
            },
            {
              "name": "https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1"
            }
          ],
          "source": {
            "advisory": "GHSA-4wg4-p27p-5q2r",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore Web2Print Tools Bundle \"Favourite Output Channel Configuration\" Missing Function Level Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23496",
        "datePublished": "2026-01-15T16:58:39.431Z",
        "dateReserved": "2026-01-13T15:47:41.629Z",
        "dateUpdated": "2026-01-15T18:26:33.948Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23495 (GCVE-0-2026-23495)

    Vulnerability from nvd – Published: 2026-01-15 16:47 – Updated: 2026-01-15 17:09
    VLAI
    Title
    Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing
    Summary
    Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 2.0.0-RC1, < 2.2.3
    Affected: < 1.7.16
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23495",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T17:08:56.115694Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T17:09:32.298Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0-RC1, \u003c 2.2.3"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.7.16"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore\u0027s official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T16:47:07.114Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f"
            },
            {
              "name": "https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909"
            },
            {
              "name": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16"
            },
            {
              "name": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3"
            }
          ],
          "source": {
            "advisory": "GHSA-hqrp-m84v-2m2f",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore\u0027s Admin Classic Bundle is Missing Function Level Authorization on \"Predefined Properties\" Listing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23495",
        "datePublished": "2026-01-15T16:47:07.114Z",
        "dateReserved": "2026-01-13T15:47:41.629Z",
        "dateUpdated": "2026-01-15T17:09:32.298Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23494 (GCVE-0-2026-23494)

    Vulnerability from nvd – Published: 2026-01-15 16:52 – Updated: 2026-01-15 18:08
    VLAI
    Title
    Pimcore is Missing Function Level Authorization on "Static Routes" Listing
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 12.0.0-RC1, < 12.3.1
    Affected: < 11.5.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23494",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T18:08:08.650556Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T18:08:13.110Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0-RC1, \u003c 12.3.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 11.5.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T16:52:58.729Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/18893",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/18893"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1"
            }
          ],
          "source": {
            "advisory": "GHSA-m3r2-724c-pwgf",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore is Missing Function Level Authorization on \"Static Routes\" Listing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23494",
        "datePublished": "2026-01-15T16:52:58.729Z",
        "dateReserved": "2026-01-13T15:47:41.629Z",
        "dateUpdated": "2026-01-15T18:08:13.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23493 (GCVE-0-2026-23493)

    Vulnerability from nvd – Published: 2026-01-15 16:38 – Updated: 2026-01-15 19:02
    VLAI
    Title
    Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 12.0.0-RC1, < 12.3.1
    Affected: < 11.5.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23493",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T19:02:04.572218Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T19:02:08.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0-RC1, \u003c 12.3.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 11.5.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T16:38:23.923Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/18918",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/18918"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1"
            }
          ],
          "source": {
            "advisory": "GHSA-q433-j342-rp9h",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore ENV Variables and Cookie Informations are exposed in http_error_log"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23493",
        "datePublished": "2026-01-15T16:38:23.923Z",
        "dateReserved": "2026-01-13T15:47:41.629Z",
        "dateUpdated": "2026-01-15T19:02:08.517Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45704 (GCVE-0-2026-45704)

    Vulnerability from cvelistv5 – Published: 2026-07-17 19:12 – Updated: 2026-07-17 19:12
    VLAI
    Title
    Pimcore: CustomReports Share Bypass
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and bundles/CustomReportsBundle/src/Tool/Config/Listing/Dao.php, allowing a low-privileged backend user with the reports permission to directly request an unshared report such as poc-secret-report by name and read report name, grouping information, display and icon metadata, data source configuration, column configuration, and sharing settings even when shareGlobally is false. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: < 11.5.17
    Affected: >= 12.0.0, < 12.3.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 11.5.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and bundles/CustomReportsBundle/src/Tool/Config/Listing/Dao.php, allowing a low-privileged backend user with the reports permission to directly request an unshared report such as poc-secret-report by name and read report name, grouping information, display and icon metadata, data source configuration, column configuration, and sharing settings even when shareGlobally is false. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T19:12:50.888Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-jwcc-gv4m-93x6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-jwcc-gv4m-93x6"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/19099",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/19099"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/1893ff1cd116e442b995ddf17e8c6e0aa372268e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/1893ff1cd116e442b995ddf17e8c6e0aa372268e"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.6"
            }
          ],
          "source": {
            "advisory": "GHSA-jwcc-gv4m-93x6",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: CustomReports Share Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45704",
        "datePublished": "2026-07-17T19:12:50.888Z",
        "dateReserved": "2026-05-13T04:38:01.165Z",
        "dateUpdated": "2026-07-17T19:12:50.888Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44739 (GCVE-0-2026-44739)

    Vulnerability from cvelistv5 – Published: 2026-07-17 19:10 – Updated: 2026-07-17 23:15
    VLAI
    Title
    Pimcore: SQL Injection in Custom Reports Column Configuration
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction, SqlAdapter::getColumns, SqlAdapter::buildQueryString, and Db::fetchAssociative(), allowing an attacker with the reports_config permission to use arbitrary SELECT queries, UNION statements, dangerous database functions, and error-based SQL injection to exfiltrate or manipulate database data. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: < 11.5.17
    Affected: >= 12.0.0, < 12.3.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44739",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-17T21:31:37.964266Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-17T23:15:23.395Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-3234-gxc3-pq6f"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 11.5.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction, SqlAdapter::getColumns, SqlAdapter::buildQueryString, and Db::fetchAssociative(), allowing an attacker with the reports_config permission to use arbitrary SELECT queries, UNION statements, dangerous database functions, and error-based SQL injection to exfiltrate or manipulate database data. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T19:10:10.107Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-3234-gxc3-pq6f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-3234-gxc3-pq6f"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/19098",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/19098"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/3fd7733464f464e58ffa49ed91550c1a3f9535f2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/3fd7733464f464e58ffa49ed91550c1a3f9535f2"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.6"
            }
          ],
          "source": {
            "advisory": "GHSA-3234-gxc3-pq6f",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: SQL Injection in Custom Reports Column Configuration"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44739",
        "datePublished": "2026-07-17T19:10:10.107Z",
        "dateReserved": "2026-05-07T18:04:17.310Z",
        "dateUpdated": "2026-07-17T23:15:23.395Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45260 (GCVE-0-2026-45260)

    Vulnerability from cvelistv5 – Published: 2026-07-17 19:08 – Updated: 2026-07-17 19:08
    VLAI
    Title
    Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and models/Asset/WebDAV/Tree.php performs asset mutation and deletion through models/Asset.php before checking a current Pimcore user or the rename, delete, create, or publish permissions, allowing unauthorized asset deletion, moves, or overwrites. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: < 11.5.17
    Affected: >= 12.0.0, < 12.3.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 11.5.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, Pimcore\u0027s WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and models/Asset/WebDAV/Tree.php performs asset mutation and deletion through models/Asset.php before checking a current Pimcore user or the rename, delete, create, or publish permissions, allowing unauthorized asset deletion, moves, or overwrites. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T19:08:38.869Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/19120",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/19120"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/9d7c77fd9b19fa011ce470de95d4438e65007d99",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/9d7c77fd9b19fa011ce470de95d4438e65007d99"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
            }
          ],
          "source": {
            "advisory": "GHSA-wc7j-g8wx-m2qx",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45260",
        "datePublished": "2026-07-17T19:08:38.869Z",
        "dateReserved": "2026-05-11T18:41:13.155Z",
        "dateUpdated": "2026-07-17T19:08:38.869Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45703 (GCVE-0-2026-45703)

    Vulnerability from cvelistv5 – Published: 2026-07-17 18:52 – Updated: 2026-07-17 19:22
    VLAI
    Title
    Pimcore: WordExport Authorization Bypass for Unauthorized Document Export
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, the WordExport export flow in bundles/WordExportBundle/src/Controller/TranslationController.php only checks the word_export feature permission and directly resolves attacker-controlled type/id input without enforcing view permission on page, snippet, email, or object elements, allowing a low-privileged backend user to export document content the user is not allowed to view. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: < 11.5.17
    Affected: >= 12.0.0, < 12.3.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45703",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-17T19:22:43.100980Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-17T19:22:48.025Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 11.5.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, the WordExport export flow in bundles/WordExportBundle/src/Controller/TranslationController.php only checks the word_export feature permission and directly resolves attacker-controlled type/id input without enforcing view permission on page, snippet, email, or object elements, allowing a low-privileged backend user to export document content the user is not allowed to view. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T18:52:44.530Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
            }
          ],
          "source": {
            "advisory": "GHSA-332x-r494-54fq",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: WordExport Authorization Bypass for Unauthorized Document Export"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45703",
        "datePublished": "2026-07-17T18:52:44.530Z",
        "dateReserved": "2026-05-13T04:38:01.165Z",
        "dateUpdated": "2026-07-17T19:22:48.025Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45162 (GCVE-0-2026-45162)

    Vulnerability from cvelistv5 – Published: 2026-07-17 18:50 – Updated: 2026-07-17 23:15
    VLAI
    Title
    Pimcore: Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, multiple Pimcore locations call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, including lib/Tool/Authentication.php, models/Site/Dao.php, models/DataObject/ClassDefinition/CustomLayout/Dao.php, models/Tool/TmpStore/Dao.php, models/Asset/WebDAV/Service.php, and admin-ui-classic-bundle/src/Helper/Dashboard.php, enabling object injection and remote code execution if an attacker can control the serialized data source. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: < 11.5.17
    Affected: >= 12.0.0, < 12.3.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45162",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-17T20:17:24.872137Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-17T23:15:31.060Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 11.5.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, multiple Pimcore locations call PHP\u0027s unserialize() on data from database columns and filesystem files without the allowed_classes restriction, including lib/Tool/Authentication.php, models/Site/Dao.php, models/DataObject/ClassDefinition/CustomLayout/Dao.php, models/Tool/TmpStore/Dao.php, models/Asset/WebDAV/Service.php, and admin-ui-classic-bundle/src/Helper/Dashboard.php, enabling object injection and remote code execution if an attacker can control the serialized data source. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-17T18:50:19.924Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-36fc-7wjg-mfvj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-36fc-7wjg-mfvj"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/19119",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/19119"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/4788bf3a3a7f2f760a8fe61e522565941e154e1e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/4788bf3a3a7f2f760a8fe61e522565941e154e1e"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
            }
          ],
          "source": {
            "advisory": "GHSA-36fc-7wjg-mfvj",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45162",
        "datePublished": "2026-07-17T18:50:19.924Z",
        "dateReserved": "2026-05-08T20:44:38.965Z",
        "dateUpdated": "2026-07-17T23:15:31.060Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55207 (GCVE-0-2026-55207)

    Vulnerability from cvelistv5 – Published: 2026-07-09 21:02 – Updated: 2026-07-10 13:34
    VLAI
    Title
    Pimcore: Account Takeover via Password Reset URL Injection allows unauthenticated attacker to hijack any admin account with 2FA bypass
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account by sending a password reset request with an attacker-controlled resetPasswordUrl. The server generates a real cryptographic recovery token, appends it to the supplied URL, and emails the link to the victim; when the victim clicks the link, the token is sent to the attacker and can be used with POST /pimcore-studio/api/login/token to authenticate with full admin privileges while bypassing two-factor authentication. This issue is fixed in versions 2025.4.6 and 2026.1.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 2026.1.0, < 2026.1.6
    Affected: < 2025.4.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55207",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T13:34:00.598927Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T13:34:28.607Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-h854-c3m3-mh5v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2026.1.0, \u003c 2026.1.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2025.4.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account by sending a password reset request with an attacker-controlled resetPasswordUrl. The server generates a real cryptographic recovery token, appends it to the supplied URL, and emails the link to the victim; when the victim clicks the link, the token is sent to the attacker and can be used with POST /pimcore-studio/api/login/token to authenticate with full admin privileges while bypassing two-factor authentication. This issue is fixed in versions 2025.4.6 and 2026.1.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-640",
                  "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T21:02:02.733Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-h854-c3m3-mh5v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-h854-c3m3-mh5v"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/pull/1882",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/pull/1882"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/commit/ea9d329686f5e5aea2eec378d63ac2deb965bb27",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/commit/ea9d329686f5e5aea2eec378d63ac2deb965bb27"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6"
            }
          ],
          "source": {
            "advisory": "GHSA-h854-c3m3-mh5v",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: Account Takeover via Password Reset URL Injection allows unauthenticated attacker to hijack any admin account with 2FA bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55207",
        "datePublished": "2026-07-09T21:02:02.733Z",
        "dateReserved": "2026-06-16T16:16:32.627Z",
        "dateUpdated": "2026-07-10T13:34:28.607Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55208 (GCVE-0-2026-55208)

    Vulnerability from cvelistv5 – Published: 2026-07-09 20:57 – Updated: 2026-07-10 13:51
    VLAI
    Title
    Pimcore: SQL Injection via Column Name in DateFilter allows authenticated user to extract arbitrary database data including admin password hashes
    Summary
    Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints accept a columnFilters array where the key field is interpolated directly into SQL with manual backtick wrapping, allowing a backtick character to break out of quoting and append arbitrary SQL such as SLEEP() and IF() subqueries. This issue is fixed in versions 2025.4.6 and 2026.1.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 2026.1.0, < 2026.1.6
    Affected: < 2025.4.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55208",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T13:51:49.735662Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T13:51:59.895Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-79cw-hfcc-7mw9"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2026.1.0, \u003c 2026.1.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2025.4.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints accept a columnFilters array where the key field is interpolated directly into SQL with manual backtick wrapping, allowing a backtick character to break out of quoting and append arbitrary SQL such as SLEEP() and IF() subqueries. This issue is fixed in versions 2025.4.6 and 2026.1.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T20:57:53.346Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-79cw-hfcc-7mw9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-79cw-hfcc-7mw9"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/pull/1883",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/pull/1883"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/commit/f532428cfbf4f5d6e299a13cedd5c29541802552",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/commit/f532428cfbf4f5d6e299a13cedd5c29541802552"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6"
            }
          ],
          "source": {
            "advisory": "GHSA-79cw-hfcc-7mw9",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: SQL Injection via Column Name in DateFilter allows authenticated user to extract arbitrary database data including admin password hashes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55208",
        "datePublished": "2026-07-09T20:57:53.346Z",
        "dateReserved": "2026-06-16T16:16:32.627Z",
        "dateUpdated": "2026-07-10T13:51:59.895Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55212 (GCVE-0-2026-55212)

    Vulnerability from cvelistv5 – Published: 2026-07-09 20:53 – Updated: 2026-07-10 20:32
    VLAI
    Title
    Pimcore: Insufficient Permission Check on Class Definition Creation Endpoint Allows Privilege Escalation
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, the Studio API class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create is guarded by the objects permission instead of the classes permission, allowing a standard editor-level user to create class definitions without admin privileges. Class definition creation generates new database tables and PHP class files on the server, and missing API-layer UID format validation allows malformed UIDs to reach model-layer validation and return internal exceptions. This issue is fixed in versions 2025.4.6 and 2026.1.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 2026.1.0, < 2026.1.6
    Affected: < 2025.4.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55212",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T19:11:51.488115Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:32:10.057Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-f97c-ph8j-8vff"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2026.1.0, \u003c 2026.1.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2025.4.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, the Studio API class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create is guarded by the objects permission instead of the classes permission, allowing a standard editor-level user to create class definitions without admin privileges. Class definition creation generates new database tables and PHP class files on the server, and missing API-layer UID format validation allows malformed UIDs to reach model-layer validation and return internal exceptions. This issue is fixed in versions 2025.4.6 and 2026.1.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T20:53:36.900Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-f97c-ph8j-8vff",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-f97c-ph8j-8vff"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/pull/1886",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/pull/1886"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/commit/d1a4788c0f159c360d550c34256c8abbbd633ae0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/commit/d1a4788c0f159c360d550c34256c8abbbd633ae0"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6"
            },
            {
              "name": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6"
            }
          ],
          "source": {
            "advisory": "GHSA-f97c-ph8j-8vff",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore: Insufficient Permission Check on Class Definition Creation Endpoint Allows Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55212",
        "datePublished": "2026-07-09T20:53:36.900Z",
        "dateReserved": "2026-06-16T16:16:32.627Z",
        "dateUpdated": "2026-07-10T20:32:10.057Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5362 (GCVE-0-2026-5362)

    Vulnerability from cvelistv5 – Published: 2026-04-27 20:16 – Updated: 2026-04-28 14:36
    VLAI
    Title
    Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering
    Summary
    An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: v12.3.3
    Create a notification for this product.
    Credits
    Oscar Naveda Fluid Attacks' AI SAST Scanner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T13:33:41.603332Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T14:36:06.112Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "v12.3.3"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Naveda"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document \u003ccode\u003eembed\u003c/code\u003e editable and cause script execution when the published page is rendered.\u003c/p\u003e\u003cp\u003eThis issue affects pimcore: v12.3.3.\u003c/p\u003e"
                }
              ],
              "value": "An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered.\n\nThis issue affects pimcore: v12.3.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-27T20:16:01.154Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/mago"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/pimcore/pimcore/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-5362",
        "datePublished": "2026-04-27T20:16:01.154Z",
        "dateReserved": "2026-04-01T17:29:08.324Z",
        "dateUpdated": "2026-04-28T14:36:06.112Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5394 (GCVE-0-2026-5394)

    Vulnerability from cvelistv5 – Published: 2026-04-27 19:15 – Updated: 2026-05-05 17:17
    VLAI
    Title
    Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling
    Summary
    An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: 12.3.3
    Create a notification for this product.
    Credits
    Oscar Naveda Fluid Attacks' AI SAST Scanner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T13:21:06.925647Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T14:36:35.902Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "12.3.3"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Naveda"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.\u003c/p\u003e\u003cp\u003eThis issue affects pimcore: 12.3.3.\u003c/p\u003e"
                }
              ],
              "value": "An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.\n\nThis issue affects pimcore: 12.3.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-7 Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T17:17:45.826Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/dragons"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/pimcore/pimcore"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/19108"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-5394",
        "datePublished": "2026-04-27T19:15:04.496Z",
        "dateReserved": "2026-04-01T23:34:42.722Z",
        "dateUpdated": "2026-05-05T17:17:45.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-27461 (GCVE-0-2026-27461)

    Vulnerability from cvelistv5 – Published: 2026-02-24 02:50 – Updated: 2026-02-24 18:58
    VLAI
    Title
    Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: <= 11.5.14.1
    Affected: >= 12.0.0, < 12.3.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-27461",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-24T18:56:21.259584Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-24T18:58:07.625Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 11.5.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.3.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T02:50:48.287Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/18991",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/18991"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.3"
            }
          ],
          "source": {
            "advisory": "GHSA-vxg3-v4p6-f3fp",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-27461",
        "datePublished": "2026-02-24T02:50:48.287Z",
        "dateReserved": "2026-02-19T17:25:31.100Z",
        "dateUpdated": "2026-02-24T18:58:07.625Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23496 (GCVE-0-2026-23496)

    Vulnerability from cvelistv5 – Published: 2026-01-15 16:58 – Updated: 2026-01-15 18:26
    VLAI
    Title
    Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization
    Summary
    Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 6.0.0-RC1, < 6.1.1
    Affected: < 5.2.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23496",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T18:05:26.888302Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T18:26:33.948Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-RC1, \u003c 6.1.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 5.2.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing \"Favourite Output Channel Configurations.\" Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T18:13:52.619Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r"
            },
            {
              "name": "https://github.com/pimcore/web2print-tools/pull/108",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/web2print-tools/pull/108"
            },
            {
              "name": "https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1"
            },
            {
              "name": "https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2"
            },
            {
              "name": "https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1"
            }
          ],
          "source": {
            "advisory": "GHSA-4wg4-p27p-5q2r",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore Web2Print Tools Bundle \"Favourite Output Channel Configuration\" Missing Function Level Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23496",
        "datePublished": "2026-01-15T16:58:39.431Z",
        "dateReserved": "2026-01-13T15:47:41.629Z",
        "dateUpdated": "2026-01-15T18:26:33.948Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23494 (GCVE-0-2026-23494)

    Vulnerability from cvelistv5 – Published: 2026-01-15 16:52 – Updated: 2026-01-15 18:08
    VLAI
    Title
    Pimcore is Missing Function Level Authorization on "Static Routes" Listing
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 12.0.0-RC1, < 12.3.1
    Affected: < 11.5.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23494",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T18:08:08.650556Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T18:08:13.110Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0-RC1, \u003c 12.3.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 11.5.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T16:52:58.729Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/18893",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/18893"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1"
            }
          ],
          "source": {
            "advisory": "GHSA-m3r2-724c-pwgf",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore is Missing Function Level Authorization on \"Static Routes\" Listing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23494",
        "datePublished": "2026-01-15T16:52:58.729Z",
        "dateReserved": "2026-01-13T15:47:41.629Z",
        "dateUpdated": "2026-01-15T18:08:13.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23495 (GCVE-0-2026-23495)

    Vulnerability from cvelistv5 – Published: 2026-01-15 16:47 – Updated: 2026-01-15 17:09
    VLAI
    Title
    Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing
    Summary
    Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 2.0.0-RC1, < 2.2.3
    Affected: < 1.7.16
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23495",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T17:08:56.115694Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T17:09:32.298Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0-RC1, \u003c 2.2.3"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.7.16"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore\u0027s official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T16:47:07.114Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f"
            },
            {
              "name": "https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909"
            },
            {
              "name": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16"
            },
            {
              "name": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3"
            }
          ],
          "source": {
            "advisory": "GHSA-hqrp-m84v-2m2f",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore\u0027s Admin Classic Bundle is Missing Function Level Authorization on \"Predefined Properties\" Listing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23495",
        "datePublished": "2026-01-15T16:47:07.114Z",
        "dateReserved": "2026-01-13T15:47:41.629Z",
        "dateUpdated": "2026-01-15T17:09:32.298Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23493 (GCVE-0-2026-23493)

    Vulnerability from cvelistv5 – Published: 2026-01-15 16:38 – Updated: 2026-01-15 19:02
    VLAI
    Title
    Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
    Summary
    Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    pimcore pimcore Affected: >= 12.0.0-RC1, < 12.3.1
    Affected: < 11.5.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23493",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T19:02:04.572218Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T19:02:08.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pimcore",
              "vendor": "pimcore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0-RC1, \u003c 12.3.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 11.5.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T16:38:23.923Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h"
            },
            {
              "name": "https://github.com/pimcore/pimcore/pull/18918",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/pull/18918"
            },
            {
              "name": "https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14"
            },
            {
              "name": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1"
            }
          ],
          "source": {
            "advisory": "GHSA-q433-j342-rp9h",
            "discovery": "UNKNOWN"
          },
          "title": "Pimcore ENV Variables and Cookie Informations are exposed in http_error_log"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23493",
        "datePublished": "2026-01-15T16:38:23.923Z",
        "dateReserved": "2026-01-13T15:47:41.629Z",
        "dateUpdated": "2026-01-15T19:02:08.517Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }