Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/pimcore/pimcore@11.0.0-ALPHA2
Typecomposer
Namespacepimcore
Namepimcore
Version11.0.0-ALPHA2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version12.3.4
Latest_non_vulnerable_version12.3.7
Affected_by_vulnerabilities
0
url VCID-35c5-mzwz-8bgw
vulnerability_id VCID-35c5-mzwz-8bgw
summary 
Withdrawn Advisory: Pimcore vulnerable to Cross-site Scripting
## Withdrawn Advisory
This advisory has been withdrawn because the maintainers no longer consider this to be a security issue. This link is maintained to preserve external references.

## Original Description
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 11.0.0.
references
0
reference_url https://github.com/pimcore/pimcore/commit/da2af2d413b144b9a742118124457d13232d31fd
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pimcore/pimcore/commit/da2af2d413b144b9a742118124457d13232d31fd
1
reference_url https://huntr.dev/bounties/04447124-c7d4-477f-8364-91fe5b59cda0
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/04447124-c7d4-477f-8364-91fe5b59cda0
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-1247
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-1247
3
reference_url https://github.com/advisories/GHSA-8wg7-88cg-7p9j
reference_id GHSA-8wg7-88cg-7p9j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8wg7-88cg-7p9j
fixed_packages
0
url pkg:composer/pimcore/pimcore@11.0.0
purl pkg:composer/pimcore/pimcore@11.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6uw7-89nn-tkg3
1
vulnerability VCID-afta-wcuy-4kah
2
vulnerability VCID-cbz2-sxrt-rffn
3
vulnerability VCID-em5a-b39y-6qgc
4
vulnerability VCID-ha34-7pm3-pqgm
5
vulnerability VCID-p5rs-jqqj-dudg
6
vulnerability VCID-phk5-1sq4-t3gn
7
vulnerability VCID-vgqm-xjtk-yffe
8
vulnerability VCID-wvt7-h158-8kc9
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@11.0.0
aliases CVE-2023-1247, GHSA-8wg7-88cg-7p9j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-35c5-mzwz-8bgw
1
url VCID-6uw7-89nn-tkg3
vulnerability_id VCID-6uw7-89nn-tkg3
summary Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-47637
reference_id
reference_type
scores
0
value 0.7657
scoring_system epss
scoring_elements 0.98967
published_at 2026-06-11T12:55:00Z
1
value 0.7657
scoring_system epss
scoring_elements 0.98971
published_at 2026-06-14T12:55:00Z
2
value 0.7657
scoring_system epss
scoring_elements 0.9897
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-47637
1
reference_url https://github.com/pimcore/pimcore/blob/42b6cfa77c4540205bdd10689893ccb73e4bac8f/models/DataObject/ClassDefinition/Data/Multiselect.php#L285-L312
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pimcore/pimcore/blob/42b6cfa77c4540205bdd10689893ccb73e4bac8f/models/DataObject/ClassDefinition/Data/Multiselect.php#L285-L312
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-47637
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-47637
3
reference_url https://github.com/pimcore/pimcore/commit/d164d99c90f098d0ccd6b72929c48b727e2953a0
reference_id d164d99c90f098d0ccd6b72929c48b727e2953a0
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-29T17:40:14Z/
url https://github.com/pimcore/pimcore/commit/d164d99c90f098d0ccd6b72929c48b727e2953a0
4
reference_url https://github.com/advisories/GHSA-72hh-xf79-429p
reference_id GHSA-72hh-xf79-429p
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-72hh-xf79-429p
5
reference_url https://github.com/pimcore/pimcore/security/advisories/GHSA-72hh-xf79-429p
reference_id GHSA-72hh-xf79-429p
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-29T17:40:14Z/
url https://github.com/pimcore/pimcore/security/advisories/GHSA-72hh-xf79-429p
6
reference_url https://github.com/pimcore/admin-ui-classic-bundle/blob/bba7c7419cb1f06d5fd98781eab4d6995e4e5dca/src/Helper/GridHelperService.php#L311
reference_id GridHelperService.php#L311
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-29T17:40:14Z/
url https://github.com/pimcore/admin-ui-classic-bundle/blob/bba7c7419cb1f06d5fd98781eab4d6995e4e5dca/src/Helper/GridHelperService.php#L311
fixed_packages
0
url pkg:composer/pimcore/pimcore@11.1.1
purl pkg:composer/pimcore/pimcore@11.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2b8z-rbsm-1fbp
1
vulnerability VCID-cbz2-sxrt-rffn
2
vulnerability VCID-em5a-b39y-6qgc
3
vulnerability VCID-ha34-7pm3-pqgm
4
vulnerability VCID-p5rs-jqqj-dudg
5
vulnerability VCID-phk5-1sq4-t3gn
6
vulnerability VCID-vgqm-xjtk-yffe
7
vulnerability VCID-wvt7-h158-8kc9
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@11.1.1
aliases CVE-2023-47637, GHSA-72hh-xf79-429p
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6uw7-89nn-tkg3
2
url VCID-afta-wcuy-4kah
vulnerability_id VCID-afta-wcuy-4kah
summary Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-5873
reference_id
reference_type
scores
0
value 4e-05
scoring_system epss
scoring_elements 0.00147
published_at 2026-06-13T12:55:00Z
1
value 4e-05
scoring_system epss
scoring_elements 0.00146
published_at 2026-06-14T12:55:00Z
2
value 4e-05
scoring_system epss
scoring_elements 0.00148
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-5873
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-5873
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-5873
2
reference_url https://huntr.com/bounties/701cfc30-22a1-4c4b-9b2f-885c77c290ce
reference_id 701cfc30-22a1-4c4b-9b2f-885c77c290ce
reference_type
scores
0
value 4
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-27T20:32:14Z/
url https://huntr.com/bounties/701cfc30-22a1-4c4b-9b2f-885c77c290ce
3
reference_url https://github.com/pimcore/pimcore/commit/757375677dc83a44c6c22f26d97452cc5cda5d7c
reference_id 757375677dc83a44c6c22f26d97452cc5cda5d7c
reference_type
scores
0
value 4
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-27T20:32:14Z/
url https://github.com/pimcore/pimcore/commit/757375677dc83a44c6c22f26d97452cc5cda5d7c
4
reference_url https://github.com/advisories/GHSA-j59v-hh4p-q92m
reference_id GHSA-j59v-hh4p-q92m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j59v-hh4p-q92m
fixed_packages
0
url pkg:composer/pimcore/pimcore@11.1.0
purl pkg:composer/pimcore/pimcore@11.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6uw7-89nn-tkg3
1
vulnerability VCID-cbz2-sxrt-rffn
2
vulnerability VCID-em5a-b39y-6qgc
3
vulnerability VCID-ha34-7pm3-pqgm
4
vulnerability VCID-p5rs-jqqj-dudg
5
vulnerability VCID-phk5-1sq4-t3gn
6
vulnerability VCID-vgqm-xjtk-yffe
7
vulnerability VCID-wvt7-h158-8kc9
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@11.1.0
aliases CVE-2023-5873, GHSA-j59v-hh4p-q92m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-afta-wcuy-4kah
3
url VCID-cbz2-sxrt-rffn
vulnerability_id VCID-cbz2-sxrt-rffn
summary Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23493
reference_id
reference_type
scores
0
value 1e-05
scoring_system epss
scoring_elements 1e-05
published_at 2026-06-14T12:55:00Z
1
value 1e-05
scoring_system epss
scoring_elements 5e-05
published_at 2026-06-12T12:55:00Z
2
value 1e-05
scoring_system epss
scoring_elements 2e-05
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23493
1
reference_url https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601
reference_id 002ec7d5f84973819236796e5b314703b58e8601
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-15T19:02:04Z/
url https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601
2
reference_url https://github.com/pimcore/pimcore/pull/18918
reference_id 18918
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-15T19:02:04Z/
url https://github.com/pimcore/pimcore/pull/18918
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23493
reference_id CVE-2026-23493
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23493
4
reference_url https://github.com/advisories/GHSA-q433-j342-rp9h
reference_id GHSA-q433-j342-rp9h
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q433-j342-rp9h
5
reference_url https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h
reference_id GHSA-q433-j342-rp9h
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-15T19:02:04Z/
url https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h
6
reference_url https://github.com/pimcore/pimcore/releases/tag/v11.5.14
reference_id v11.5.14
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-15T19:02:04Z/
url https://github.com/pimcore/pimcore/releases/tag/v11.5.14
7
reference_url https://github.com/pimcore/pimcore/releases/tag/v12.3.1
reference_id v12.3.1
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-15T19:02:04Z/
url https://github.com/pimcore/pimcore/releases/tag/v12.3.1
fixed_packages
0
url pkg:composer/pimcore/pimcore@11.5.14
purl pkg:composer/pimcore/pimcore@11.5.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-em5a-b39y-6qgc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@11.5.14
1
url pkg:composer/pimcore/pimcore@12.3.1
purl pkg:composer/pimcore/pimcore@12.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-em5a-b39y-6qgc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@12.3.1
aliases CVE-2026-23493, GHSA-q433-j342-rp9h
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cbz2-sxrt-rffn
4
url VCID-em5a-b39y-6qgc
vulnerability_id VCID-em5a-b39y-6qgc
summary Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27461
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02341
published_at 2026-06-14T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02334
published_at 2026-06-13T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.0234
published_at 2026-06-12T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02342
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27461
1
reference_url https://github.com/pimcore/pimcore/pull/18991
reference_id 18991
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:56:21Z/
url https://github.com/pimcore/pimcore/pull/18991
2
reference_url https://github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4
reference_id 1c3925fbec4895abeb21e5c244a83679c4e4a6f4
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:56:21Z/
url https://github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27461
reference_id CVE-2026-27461
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27461
4
reference_url https://github.com/advisories/GHSA-vxg3-v4p6-f3fp
reference_id GHSA-vxg3-v4p6-f3fp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vxg3-v4p6-f3fp
5
reference_url https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp
reference_id GHSA-vxg3-v4p6-f3fp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:56:21Z/
url https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp
6
reference_url https://github.com/pimcore/pimcore/releases/tag/v12.3.3
reference_id v12.3.3
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:56:21Z/
url https://github.com/pimcore/pimcore/releases/tag/v12.3.3
fixed_packages
0
url pkg:composer/pimcore/pimcore@12.0.0-RC1
purl pkg:composer/pimcore/pimcore@12.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cbz2-sxrt-rffn
1
vulnerability VCID-ha34-7pm3-pqgm
2
vulnerability VCID-vgqm-xjtk-yffe
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@12.0.0-RC1
1
url pkg:composer/pimcore/pimcore@12.3.3
purl pkg:composer/pimcore/pimcore@12.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-reqw-yyg8-wugv
1
vulnerability VCID-xjuf-ar4q-uyfz
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@12.3.3
aliases CVE-2026-27461, GHSA-vxg3-v4p6-f3fp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-em5a-b39y-6qgc
5
url VCID-ha34-7pm3-pqgm
vulnerability_id VCID-ha34-7pm3-pqgm
summary Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23492
reference_id
reference_type
scores
0
value 4e-05
scoring_system epss
scoring_elements 0.00141
published_at 2026-06-14T12:55:00Z
1
value 4e-05
scoring_system epss
scoring_elements 0.0015
published_at 2026-06-12T12:55:00Z
2
value 5e-05
scoring_system epss
scoring_elements 0.00243
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23492
1
reference_url https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
reference_id 25ad8674886f2b938243cbe13e33e204a2e35cc3
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-01-14T21:14:38Z/
url https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23492
reference_id CVE-2026-23492
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23492
3
reference_url https://github.com/advisories/GHSA-6mhm-gcpf-5gr8
reference_id GHSA-6mhm-gcpf-5gr8
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-6mhm-gcpf-5gr8
4
reference_url https://github.com/advisories/GHSA-qvr7-7g55-69xj
reference_id GHSA-qvr7-7g55-69xj
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qvr7-7g55-69xj
5
reference_url https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
reference_id GHSA-qvr7-7g55-69xj
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-01-14T21:14:38Z/
url https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
fixed_packages
0
url pkg:composer/pimcore/pimcore@11.5.14
purl pkg:composer/pimcore/pimcore@11.5.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-em5a-b39y-6qgc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@11.5.14
1
url pkg:composer/pimcore/pimcore@12.3.1
purl pkg:composer/pimcore/pimcore@12.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-em5a-b39y-6qgc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@12.3.1
aliases CVE-2026-23492, GHSA-qvr7-7g55-69xj
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ha34-7pm3-pqgm
6
url VCID-p5rs-jqqj-dudg
vulnerability_id VCID-p5rs-jqqj-dudg
summary Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27617
reference_id
reference_type
scores
0
value 0.00544
scoring_system epss
scoring_elements 0.68286
published_at 2026-06-12T12:55:00Z
1
value 0.00544
scoring_system epss
scoring_elements 0.68296
published_at 2026-06-14T12:55:00Z
2
value 0.00544
scoring_system epss
scoring_elements 0.68197
published_at 2026-06-11T12:55:00Z
3
value 0.00544
scoring_system epss
scoring_elements 0.68298
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27617
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27617
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27617
2
reference_url https://github.com/pimcore/pimcore/commit/19a8520895484e68fd254773e32476565d91deea
reference_id 19a8520895484e68fd254773e32476565d91deea
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T15:29:36Z/
url https://github.com/pimcore/pimcore/commit/19a8520895484e68fd254773e32476565d91deea
3
reference_url https://github.com/advisories/GHSA-qjpx-5m2p-5pgh
reference_id GHSA-qjpx-5m2p-5pgh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qjpx-5m2p-5pgh
4
reference_url https://github.com/pimcore/pimcore/security/advisories/GHSA-qjpx-5m2p-5pgh
reference_id GHSA-qjpx-5m2p-5pgh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T15:29:36Z/
url https://github.com/pimcore/pimcore/security/advisories/GHSA-qjpx-5m2p-5pgh
5
reference_url https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Multiselect.php#L332-L347
reference_id Multiselect.php#L332-L347
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T15:29:36Z/
url https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Multiselect.php#L332-L347
6
reference_url https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php#L29-L47
reference_id RelationFilterConditionParser.php#L29-L47
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-12T15:29:36Z/
url https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php#L29-L47
fixed_packages
0
url pkg:composer/pimcore/pimcore@11.5.4
purl pkg:composer/pimcore/pimcore@11.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cbz2-sxrt-rffn
1
vulnerability VCID-em5a-b39y-6qgc
2
vulnerability VCID-ha34-7pm3-pqgm
3
vulnerability VCID-vgqm-xjtk-yffe
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@11.5.4
aliases CVE-2025-27617, GHSA-qjpx-5m2p-5pgh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p5rs-jqqj-dudg
7
url VCID-phk5-1sq4-t3gn
vulnerability_id VCID-phk5-1sq4-t3gn
summary Pimcore TinyMCE Bundle - tinymce CVE-2024-29203, CVE-2024-29881
references
0
reference_url https://github.com/advisories/GHSA-vjwg-28gv-pm8h
reference_id GHSA-vjwg-28gv-pm8h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vjwg-28gv-pm8h
1
reference_url https://github.com/pimcore/pimcore/security/advisories/GHSA-vjwg-28gv-pm8h
reference_id GHSA-vjwg-28gv-pm8h
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pimcore/pimcore/security/advisories/GHSA-vjwg-28gv-pm8h
fixed_packages
0
url pkg:composer/pimcore/pimcore@11.1.6%2B5
purl pkg:composer/pimcore/pimcore@11.1.6%2B5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@11.1.6%252B5
1
url pkg:composer/pimcore/pimcore@11.2.3
purl pkg:composer/pimcore/pimcore@11.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cbz2-sxrt-rffn
1
vulnerability VCID-em5a-b39y-6qgc
2
vulnerability VCID-ha34-7pm3-pqgm
3
vulnerability VCID-p5rs-jqqj-dudg
4
vulnerability VCID-vgqm-xjtk-yffe
5
vulnerability VCID-wvt7-h158-8kc9
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@11.2.3
aliases GHSA-vjwg-28gv-pm8h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-phk5-1sq4-t3gn
8
url VCID-vgqm-xjtk-yffe
vulnerability_id VCID-vgqm-xjtk-yffe
summary Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23494
reference_id
reference_type
scores
0
value 1e-05
scoring_system epss
scoring_elements 8e-05
published_at 2026-06-14T12:55:00Z
1
value 1e-05
scoring_system epss
scoring_elements 0.00015
published_at 2026-06-12T12:55:00Z
2
value 1e-05
scoring_system epss
scoring_elements 9e-05
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23494
1
reference_url https://github.com/pimcore/pimcore/pull/18893
reference_id 18893
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T18:08:08Z/
url https://github.com/pimcore/pimcore/pull/18893
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23494
reference_id CVE-2026-23494
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23494
3
reference_url https://github.com/advisories/GHSA-m3r2-724c-pwgf
reference_id GHSA-m3r2-724c-pwgf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m3r2-724c-pwgf
4
reference_url https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf
reference_id GHSA-m3r2-724c-pwgf
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T18:08:08Z/
url https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf
5
reference_url https://github.com/pimcore/pimcore/releases/tag/v11.5.14
reference_id v11.5.14
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T18:08:08Z/
url https://github.com/pimcore/pimcore/releases/tag/v11.5.14
6
reference_url https://github.com/pimcore/pimcore/releases/tag/v12.3.1
reference_id v12.3.1
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T18:08:08Z/
url https://github.com/pimcore/pimcore/releases/tag/v12.3.1
fixed_packages
0
url pkg:composer/pimcore/pimcore@11.5.14
purl pkg:composer/pimcore/pimcore@11.5.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-em5a-b39y-6qgc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@11.5.14
1
url pkg:composer/pimcore/pimcore@12.3.1
purl pkg:composer/pimcore/pimcore@12.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-em5a-b39y-6qgc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@12.3.1
aliases CVE-2026-23494, GHSA-m3r2-724c-pwgf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vgqm-xjtk-yffe
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@11.0.0-ALPHA2