2 matches found
CVE-2026-23494
Pimcore is vulnerable to insufficient function-level access control on the API that lists static routes. Prior to versions 12.3.1 and 11.5.14, an authenticated backend user lacking explicit permissions could call the endpoint (e.g., GET /api/static-routes) and retrieve internal static-route confi...
CVE-2026-23494 Pimcore is Missing Function Level Authorization on "Static Routes" Listing
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...