Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qv8v-b5t4-jqb9
Vulnerability ID VCID-qv8v-b5t4-jqb9
Aliases CVE-2023-28106
GHSA-x5j3-mq9g-8jc8
Summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0007 https://api.first.org/data/v1/epss?cve=CVE-2023-28106
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-x5j3-mq9g-8jc8
cvssv3.1 4.8 https://github.com/pimcore/pimcore
generic_textual MODERATE https://github.com/pimcore/pimcore
cvssv3.1 4.8 https://github.com/pimcore/pimcore/commit/c59d0bf1d03a5037b586fe06230694fa3818dbf2
cvssv3.1 6.1 https://github.com/pimcore/pimcore/commit/c59d0bf1d03a5037b586fe06230694fa3818dbf2
generic_textual MODERATE https://github.com/pimcore/pimcore/commit/c59d0bf1d03a5037b586fe06230694fa3818dbf2
ssvc Track https://github.com/pimcore/pimcore/commit/c59d0bf1d03a5037b586fe06230694fa3818dbf2
cvssv3.1 4.8 https://github.com/pimcore/pimcore/pull/14669.patch
cvssv3.1 6.1 https://github.com/pimcore/pimcore/pull/14669.patch
generic_textual MODERATE https://github.com/pimcore/pimcore/pull/14669.patch
ssvc Track https://github.com/pimcore/pimcore/pull/14669.patch
cvssv3.1 4.8 https://github.com/pimcore/pimcore/security/advisories/GHSA-x5j3-mq9g-8jc8
cvssv3.1 6.1 https://github.com/pimcore/pimcore/security/advisories/GHSA-x5j3-mq9g-8jc8
cvssv3.1_qr MODERATE https://github.com/pimcore/pimcore/security/advisories/GHSA-x5j3-mq9g-8jc8
generic_textual MODERATE https://github.com/pimcore/pimcore/security/advisories/GHSA-x5j3-mq9g-8jc8
ssvc Track https://github.com/pimcore/pimcore/security/advisories/GHSA-x5j3-mq9g-8jc8
cvssv3.1 4.8 https://huntr.dev/bounties/fa77d780-9b23-404b-8c44-12108881d11a
cvssv3.1 6.1 https://huntr.dev/bounties/fa77d780-9b23-404b-8c44-12108881d11a
generic_textual MODERATE https://huntr.dev/bounties/fa77d780-9b23-404b-8c44-12108881d11a
ssvc Track https://huntr.dev/bounties/fa77d780-9b23-404b-8c44-12108881d11a
cvssv3.1 4.8 https://nvd.nist.gov/vuln/detail/CVE-2023-28106
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-28106
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-28106
https://github.com/pimcore/pimcore
https://github.com/pimcore/pimcore/commit/c59d0bf1d03a5037b586fe06230694fa3818dbf2
https://github.com/pimcore/pimcore/pull/14669.patch
https://huntr.dev/bounties/fa77d780-9b23-404b-8c44-12108881d11a
CVE-2023-28106 https://nvd.nist.gov/vuln/detail/CVE-2023-28106
GHSA-x5j3-mq9g-8jc8 https://github.com/advisories/GHSA-x5j3-mq9g-8jc8
GHSA-x5j3-mq9g-8jc8 https://github.com/pimcore/pimcore/security/advisories/GHSA-x5j3-mq9g-8jc8
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/pimcore/pimcore
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/pimcore/pimcore/commit/c59d0bf1d03a5037b586fe06230694fa3818dbf2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/pimcore/pimcore/commit/c59d0bf1d03a5037b586fe06230694fa3818dbf2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:14Z/ Found at https://github.com/pimcore/pimcore/commit/c59d0bf1d03a5037b586fe06230694fa3818dbf2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/pimcore/pimcore/pull/14669.patch
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/pimcore/pimcore/pull/14669.patch
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:14Z/ Found at https://github.com/pimcore/pimcore/pull/14669.patch
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/pimcore/pimcore/security/advisories/GHSA-x5j3-mq9g-8jc8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/pimcore/pimcore/security/advisories/GHSA-x5j3-mq9g-8jc8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:14Z/ Found at https://github.com/pimcore/pimcore/security/advisories/GHSA-x5j3-mq9g-8jc8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://huntr.dev/bounties/fa77d780-9b23-404b-8c44-12108881d11a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://huntr.dev/bounties/fa77d780-9b23-404b-8c44-12108881d11a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:14Z/ Found at https://huntr.dev/bounties/fa77d780-9b23-404b-8c44-12108881d11a
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-28106
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.21598
EPSS Score 0.0007
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T21:00:01.244943+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pimcore/pimcore/CVE-2023-28106.yml 38.6.0