Search for packages
| purl | pkg:composer/pimcore/pimcore@11.1.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-21s4-mb97-v7bh
Aliases: CVE-2025-27617 GHSA-qjpx-5m2p-5pgh |
Pimcore Vulnerable to SQL Injection in getRelationFilterCondition Authenticated users can craft a filter string used to cause a SQL injection. |
Affected by 4 other vulnerabilities. |
|
VCID-4n21-ae6m-3qhk
Aliases: GHSA-vjwg-28gv-pm8h |
Pimcore TinyMCE Bundle - tinymce CVE-2024-29203, CVE-2024-29881 The TineMCE Bundle uses tinymce version 6.7.3. CVEs for this version exists for <6.8.1: https://nvd.nist.gov/vuln/detail/CVE-2024-29203 https://nvd.nist.gov/vuln/detail/CVE-2024-29881 |
Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-53nb-8vf3-9ubb
Aliases: CVE-2026-23492 GHSA-qvr7-7g55-69xj |
Pimcore Has an Incomplete Patch for CVE-2023-30848 An **incomplete SQL injection patch** in the Admin Search Find API allows an authenticated attacker to perform **blind SQL injection**. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to **database information disclosure**. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-cn4e-nsm4-e3fv
Aliases: GHSA-hq76-662x-7mw4 |
Pimcore includes vulnerable PHPOffice/PhpSpreadsheet Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: [GHSA-ghg6-32f9-2jp7](https://github.com/advisories/GHSA-ghg6-32f9-2jp7). |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-hmpr-1fgb-jqea
Aliases: CVE-2026-27461 GHSA-vxg3-v4p6-f3fp |
Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Affected code in models/Dependency/Dao.php: - getFilterRequiresByPath() lines 90, 95, 100 - getFilterRequiredByPath() lines 148, 153, 158 All 6 locations use direct string concatenation like: "AND LOWER(CONCAT(o.path, o.key)) RLIKE '".$value."'" Note that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly `whitelist`-validated, but $value has zero sanitization. Entry points (pimcore/admin-ui-classic-bundle ElementController.php): - GET /admin/element/get-requires-dependencies (line 654) - GET /admin/element/get-required-by-dependencies (line 714) The controller JSON-decodes the filter query param and passes $filter['value'] straight to the Dao without any escaping. PoC (time-based blind): |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-u5a1-c9ar-3kg6
Aliases: CVE-2024-32871 GHSA-277c-5vvj-9pwx |
Flooding Server with Thumbnail files All Pimcore Instances are affected, as far as we can see, also all versions |
Affected by 5 other vulnerabilities. |
|
VCID-xvhk-gv9z-53hb
Aliases: CVE-2026-23494 GHSA-m3r2-724c-pwgf |
Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing The application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This violates OWASP A01:2021 Broken Access Control, as function-level authorization is absent, allowing unauthorized access to internal routing metadata. Without validation, the endpoint exposes route structures, potentially revealing application architecture, endpoints, or custom logic intended for administrative roles only. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-yrnf-q3z4-jfh1
Aliases: CVE-2026-23493 GHSA-q433-j342-rp9h |
Pimcore ENV Variables and Cookie Informations are exposed in http_error_log The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||