CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

109 matches found

OSV•added 2026/05/27 12:35 a.m.•5 views

GHSA-3234-GXC3-PQ6F Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration

Summary The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reportsconfig permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML...

8.7CVSS6AI score

Exploits0References5

ATTACKERKB•added 2026/02/24 2:50 a.m.•1 views

CVE-2026-27461

Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameteriz...

6.9CVSS5.4AI score0.00013EPSS

Exploits1References5Affected Software1

Vulnrichment•added 2026/01/15 4:38 p.m.•2 views

CVE-2026-23493 Pimcore ENV Variables and Cookie Informations are exposed in http_error_log

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the httperrorlog file stores the $COOKIE and $SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through t...

8.6CVSS6.2AI score0.00001EPSS

Exploits0References5

Github Security Blog•added 2026/01/14 9:15 p.m.•8 views

Pimcore Has an Incomplete Patch for CVE-2023-30848

Summary An incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments -- and catching syntax errors, the fix is insufficient. Attackers can still...

8.8CVSS7.9AI score0.00011EPSS

Exploits1References5Affected Software1

RedhatCVE•added 2026/01/09 12:41 p.m.•4 views

CVE-2023-25240

An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code...

8.8CVSS7.5AI score0.00026EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 10:17 a.m.•5 views

CVE-2019-18986

Pimcore before 6.2.2 allow attackers to brute-force guess valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users...

7.5CVSS7.1AI score0.00008EPSS

Exploits0References1

RedhatCVE•added 2026/01/09 9:13 a.m.•4 views

CVE-2022-0256

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'...

5.4CVSS6.7AI score0.00012EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 9:12 a.m.•6 views

CVE-2022-0257

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'...

6.1CVSS6.7AI score0.0002EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 8:42 a.m.•6 views

CVE-2022-31092

Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting i...

8.1CVSS7.2AI score0.00026EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 8:41 a.m.•8 views

CVE-2022-0258

pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command...

8.8CVSS7.2AI score0.00032EPSS

Exploits1References1

RedhatCVE•added 2026/01/07 9:31 a.m.•7 views

CVE-2019-16317

In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different...

8.8CVSS6.5AI score0.52728EPSS

Exploits5References1