Search for packages
| purl | pkg:composer/pimcore/pimcore@10.6.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-68hd-e927-4kcu
Aliases: CVE-2026-23494 GHSA-m3r2-724c-pwgf |
Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing The application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This violates OWASP A01:2021 Broken Access Control, as function-level authorization is absent, allowing unauthorized access to internal routing metadata. Without validation, the endpoint exposes route structures, potentially revealing application architecture, endpoints, or custom logic intended for administrative roles only. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-bb65-xxsn-m3gv
Aliases: CVE-2025-27617 GHSA-qjpx-5m2p-5pgh |
Affected by 4 other vulnerabilities. |
|
|
VCID-cbx2-f95n-kqgd
Aliases: CVE-2023-4453 GHSA-599v-h3q5-g6r9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8. |
Affected by 7 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-de3u-8wqt-uyc2
Aliases: CVE-2023-38708 GHSA-34hj-v8fm-x887 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite. The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted. |
Affected by 8 other vulnerabilities. |
|
VCID-dhdb-wakw-pufe
Aliases: CVE-2023-5873 GHSA-j59v-hh4p-q92m |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0. |
Affected by 8 other vulnerabilities. |
|
VCID-f4vw-12f3-wfgb
Aliases: CVE-2026-27461 GHSA-vxg3-v4p6-f3fp |
Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Affected code in models/Dependency/Dao.php: - getFilterRequiresByPath() lines 90, 95, 100 - getFilterRequiredByPath() lines 148, 153, 158 All 6 locations use direct string concatenation like: "AND LOWER(CONCAT(o.path, o.key)) RLIKE '".$value."'" Note that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly `whitelist`-validated, but $value has zero sanitization. Entry points (pimcore/admin-ui-classic-bundle ElementController.php): - GET /admin/element/get-requires-dependencies (line 654) - GET /admin/element/get-required-by-dependencies (line 714) The controller JSON-decodes the filter query param and passes $filter['value'] straight to the Dao without any escaping. PoC (time-based blind): |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-f5cg-bkw2-hqct
Aliases: CVE-2026-23493 GHSA-q433-j342-rp9h |
Pimcore ENV Variables and Cookie Informations are exposed in http_error_log The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-hed9-c39j-87g2
Aliases: CVE-2023-3820 GHSA-c9hw-557q-f8hq |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 9 other vulnerabilities. |
|
VCID-mcrd-q5wz-d7dk
Aliases: CVE-2023-3819 GHSA-r87r-982q-2c3q |
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 9 other vulnerabilities. |
|
VCID-q7xb-xff7-77cf
Aliases: CVE-2023-3822 GHSA-vmpv-qjhq-r463 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 9 other vulnerabilities. |
|
VCID-uaf3-v6zj-uuc3
Aliases: CVE-2026-23492 GHSA-qvr7-7g55-69xj |
Pimcore Has an Incomplete Patch for CVE-2023-30848 An **incomplete SQL injection patch** in the Admin Search Find API allows an authenticated attacker to perform **blind SQL injection**. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to **database information disclosure**. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-wzbf-bazj-4kgy
Aliases: CVE-2023-3821 GHSA-78q2-cv3p-x9fm |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 9 other vulnerabilities. |
|
VCID-xfwh-3838-j7ct
Aliases: CVE-2023-47637 GHSA-72hh-xf79-429p |
Cross-Site Request Forgery (CSRF) Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||