Search for packages
| purl | pkg:composer/pimcore/pimcore@11.4.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8a7j-kt62-gyat
Aliases: CVE-2024-11954 GHSA-xr3m-6gq6-22cg |
A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. |
Affected by 5 other vulnerabilities. |
|
VCID-cbz2-sxrt-rffn
Aliases: CVE-2026-23493 GHSA-q433-j342-rp9h |
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-em5a-b39y-6qgc
Aliases: CVE-2026-27461 GHSA-vxg3-v4p6-f3fp |
Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch. |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-h2am-df3t-8qg4
Aliases: GHSA-8m2r-x2m2-3wmw |
Duplicate Advisory: Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xr3m-6gq6-22cg. This link is maintained to preserve external references. Original Description A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | There are no reported fixed by versions. |
|
VCID-ha34-7pm3-pqgm
Aliases: CVE-2026-23492 GHSA-qvr7-7g55-69xj |
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-p5rs-jqqj-dudg
Aliases: CVE-2025-27617 GHSA-qjpx-5m2p-5pgh |
Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue. |
Affected by 4 other vulnerabilities. |
|
VCID-vgqm-xjtk-yffe
Aliases: CVE-2026-23494 GHSA-m3r2-724c-pwgf |
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||