Total
124 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-23493 | 1 Pimcore | 1 Pimcore | 2026-01-20 | N/A | 8.6 HIGH |
| Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14. | |||||
| CVE-2026-23494 | 1 Pimcore | 1 Pimcore | 2026-01-20 | N/A | 4.3 MEDIUM |
| Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14. | |||||
| CVE-2026-23492 | 1 Pimcore | 1 Pimcore | 2026-01-20 | N/A | 8.8 HIGH |
| Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14. | |||||
| CVE-2024-29197 | 1 Pimcore | 1 Pimcore | 2025-11-05 | N/A | 6.5 MEDIUM |
| Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument `?pimcore_preview=true` allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer applies. Previews are broad open to any user and with just the hint of a restricted link one could gain access to possible confident / unreleased information. This vulnerability is fixed in 11.2.2 and 11.1.6.1. | |||||
| CVE-2025-27617 | 1 Pimcore | 1 Pimcore | 2025-11-04 | N/A | 8.8 HIGH |
| Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue. | |||||
| CVE-2024-11954 | 1 Pimcore | 1 Pimcore | 2025-11-04 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-11956 | 1 Pimcore | 1 Pimcore | 2025-11-04 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2015-4425 | 1 Pimcore | 1 Pimcore | 2025-04-12 | 4.9 MEDIUM | N/A |
| Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir parameter to admin/asset/add-asset-compatibility. | |||||
| CVE-2015-4426 | 1 Pimcore | 1 Pimcore | 2025-04-12 | 7.5 HIGH | N/A |
| SQL injection vulnerability in pimcore before build 3473 allows remote attackers to execute arbitrary SQL commands via the filter parameter to admin/asset/grid-proxy. | |||||
| CVE-2014-2922 | 1 Pimcore | 1 Pimcore | 2025-04-12 | 6.4 MEDIUM | N/A |
| The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.1.0 does not properly handle an object obtained by unserializing a pathname, which allows remote attackers to conduct PHP object injection attacks and delete arbitrary files via vectors involving a Zend_Http_Response_Stream object. | |||||
| CVE-2014-2921 | 1 Pimcore | 1 Pimcore | 2025-04-12 | 7.5 HIGH | N/A |
| The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character. | |||||
| CVE-2023-25240 | 1 Pimcore | 1 Pimcore | 2025-03-21 | N/A | 8.8 HIGH |
| An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code. | |||||
| CVE-2024-32871 | 1 Pimcore | 1 Pimcore | 2024-11-21 | N/A | 7.5 HIGH |
| Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the original. This vulnerability is fixed in 11.2.4. | |||||
| CVE-2023-5873 | 1 Pimcore | 1 Pimcore | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0. | |||||
| CVE-2023-4453 | 1 Pimcore | 1 Pimcore | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8. | |||||
| CVE-2023-49076 | 1 Pimcore | 1 Pimcore | 2024-11-21 | N/A | 4.3 MEDIUM |
| Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5. | |||||
| CVE-2023-47637 | 1 Pimcore | 1 Pimcore | 2024-11-21 | N/A | 8.8 HIGH |
| Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-3822 | 1 Pimcore | 1 Pimcore | 2024-11-21 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4. | |||||
| CVE-2023-3821 | 1 Pimcore | 1 Pimcore | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4. | |||||
| CVE-2023-3820 | 1 Pimcore | 1 Pimcore | 2024-11-21 | N/A | 7.2 HIGH |
| SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4. | |||||