CVE-2026-23493

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601	Patch
https://github.com/pimcore/pimcore/pull/18918	Issue Tracking
https://github.com/pimcore/pimcore/releases/tag/v11.5.14	Release Notes
https://github.com/pimcore/pimcore/releases/tag/v12.3.1	Release Notes
https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h	Vendor Advisory
https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pimcore:pimcore::::::::
	cpe:2.3:a:pimcore:pimcore::::::::

History

No history.

Information

Published : 2026-01-15 17:16

Updated : 2026-01-20 21:48

NVD link : CVE-2026-23493

Mitre link : CVE-2026-23493

CVE.ORG link : CVE-2026-23493

JSON object : View

Products Affected

pimcore

pimcore

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2026-23493", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2026-01-15T17:16:08.293", "references": [{"url": "https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/pimcore/pull/18918", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h", "tags": ["Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14."}], "lastModified": "2026-01-20T21:48:53.243", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B2CDE57-18BF-48B4-A0D7-BA3673CD3016", "versionEndExcluding": "11.5.14"}, {"criteria": "cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FD4D552C-238D-49EC-8F68-19EC520EAD57", "versionEndExcluding": "12.3.1", "versionStartIncluding": "12.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}