Filtered by vendor Pimcore
Subscribe
Total
155 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10867 | 1 Pimcore | 1 Pimcore | 2026-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php. | |||||
| CVE-2018-14059 | 1 Pimcore | 1 Pimcore | 2026-06-17 | 3.5 LOW | 5.4 MEDIUM |
| Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions. | |||||
| CVE-2018-14058 | 1 Pimcore | 1 Pimcore | 2026-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Pimcore before 5.3.0 allows SQL Injection via the REST web service API. | |||||
| CVE-2018-14057 | 1 Pimcore | 1 Pimcore | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function. | |||||
| CVE-2015-4426 | 1 Pimcore | 1 Pimcore | 2026-06-17 | 7.5 HIGH | N/A |
| SQL injection vulnerability in pimcore before build 3473 allows remote attackers to execute arbitrary SQL commands via the filter parameter to admin/asset/grid-proxy. | |||||
| CVE-2015-4425 | 1 Pimcore | 1 Pimcore | 2026-06-17 | 4.9 MEDIUM | N/A |
| Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir parameter to admin/asset/add-asset-compatibility. | |||||
| CVE-2014-2922 | 1 Pimcore | 1 Pimcore | 2026-06-17 | 6.4 MEDIUM | N/A |
| The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.1.0 does not properly handle an object obtained by unserializing a pathname, which allows remote attackers to conduct PHP object injection attacks and delete arbitrary files via vectors involving a Zend_Http_Response_Stream object. | |||||
| CVE-2014-2921 | 1 Pimcore | 1 Pimcore | 2026-06-17 | 7.5 HIGH | N/A |
| The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character. | |||||
| CVE-2026-5362 | 1 Pimcore | 1 Pimcore | 2026-05-18 | N/A | 5.4 MEDIUM |
| An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3. | |||||
| CVE-2021-31869 | 1 Pimcore | 1 Pimcore | 2026-03-06 | 5.0 MEDIUM | 6.5 MEDIUM |
| Pimcore AdminBundle version 6.8.0 and earlier suffers from a SQL injection issue in the specificID variable used by the application. This issue was fixed in version 6.9.4 of the product. | |||||
| CVE-2023-2881 | 1 Pimcore | 1 Customer Management Framework | 2026-03-06 | N/A | 4.9 MEDIUM |
| Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10. | |||||
| CVE-2023-4145 | 1 Pimcore | 1 Customer Management Framework | 2026-03-06 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2. | |||||
| CVE-2026-27461 | 1 Pimcore | 1 Pimcore | 2026-02-25 | N/A | 4.9 MEDIUM |
| Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch. | |||||
| CVE-2022-0565 | 1 Pimcore | 1 Pimcore | 2026-02-24 | 5.0 MEDIUM | 7.6 HIGH |
| Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1. | |||||
| CVE-2026-23495 | 1 Pimcore | 1 Admin Classic Bundle | 2026-01-30 | N/A | 4.3 MEDIUM |
| Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16. | |||||
| CVE-2026-23496 | 1 Pimcore | 1 Web2print Tools | 2026-01-30 | N/A | 5.4 MEDIUM |
| Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1. | |||||
| CVE-2026-23493 | 1 Pimcore | 1 Pimcore | 2026-01-20 | N/A | 8.6 HIGH |
| Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14. | |||||
| CVE-2026-23494 | 1 Pimcore | 1 Pimcore | 2026-01-20 | N/A | 4.3 MEDIUM |
| Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14. | |||||
| CVE-2026-23492 | 1 Pimcore | 1 Pimcore | 2026-01-20 | N/A | 8.8 HIGH |
| Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14. | |||||
| CVE-2025-24980 | 1 Pimcore | 1 Admin Classic Bundle | 2026-01-16 | N/A | 5.3 MEDIUM |
| pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||