Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-yrnf-q3z4-jfh1
Vulnerability ID VCID-yrnf-q3z4-jfh1
Aliases CVE-2026-23493
GHSA-q433-j342-rp9h
Summary Pimcore ENV Variables and Cookie Informations are exposed in http_error_log The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-532 Insertion of Sensitive Information into Log File
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/pimcore/pimcore
https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601
https://github.com/pimcore/pimcore/pull/18918
https://github.com/pimcore/pimcore/releases/tag/v11.5.14
https://github.com/pimcore/pimcore/releases/tag/v12.3.1
CVE-2026-23493 https://nvd.nist.gov/vuln/detail/CVE-2026-23493
GHSA-q433-j342-rp9h https://github.com/advisories/GHSA-q433-j342-rp9h
GHSA-q433-j342-rp9h https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:49:32.371675+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pimcore/pimcore/CVE-2026-23493.yml 38.6.0