Lucene search
+L

158487 matches found

NVD
NVD
added yesterday2 views

CVE-2026-45704

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and...

7.1CVSS0.00035EPSS
Exploits0References4
NVD
NVD
added yesterday5 views

CVE-2026-44739

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction,...

8.7CVSS0.00027EPSS
Exploits0References4
NVD
NVD
added yesterday3 views

CVE-2026-45260

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and...

8.1CVSS0.00141EPSS
Exploits0References4
NVD
NVD
added yesterday5 views

CVE-2026-45162

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, multiple Pimcore locations call PHP's unserialize on data from database columns and filesystem files without the allowedclasses restriction, including lib/Tool/Authentication.php, models/Site/Dao.php...

8CVSS0.00202EPSS
Exploits0References4
NVD
NVD
added yesterday2 views

CVE-2026-45703

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, the WordExport export flow in bundles/WordExportBundle/src/Controller/TranslationController.php only checks the wordexport feature permission and directly resolves attacker-controlled type/id input...

6.4CVSS0.00089EPSS
Exploits0References2
Cvelist
Cvelist
added yesterday5 views

CVE-2026-45704 Pimcore: CustomReports Share Bypass

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and...

7.1CVSS0.00035EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-45704

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and...

7.1CVSS5.3AI score0.00035EPSS
Exploits0References5Affected Software1
CVE
CVE
added yesterday40 views

CVE-2026-45704

Summary: Pimcore's CustomReports feature suffers an authorization bypass where report listing is inconsistently checked and the detail endpoints load reports by name. A low-privileged backend user with the reports permission can request a non-visible report (e.g., poc-secret-report) by name and r...

7.1CVSS5.3AI score0.00035EPSS
Exploits0References4
EUVD
EUVD
added yesterday3 views

EUVD-2026-45277

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and...

7.1CVSS5.3AI score0.00035EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added yesterday4 views

CVE-2026-44739 Pimcore: SQL Injection in Custom Reports Column Configuration

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction,...

8.7CVSS5.8AI score0.00027EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-44739

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction,...

8.7CVSS5.8AI score0.00027EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added yesterday8 views

CVE-2026-44739 Pimcore: SQL Injection in Custom Reports Column Configuration

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction,...

8.7CVSS0.00027EPSS
Exploits0References4
CVE
CVE
added yesterday22 views

CVE-2026-44739

CVE-2026-44739 (Pimcore) : SQL injection in the columnConfigAction flow of CustomReportsBundle enables an attacker with the reports_config permission to inject and execute arbitrary SELECT/UNION queries and leverage error-based exfiltration. Affected versions are prior to 11.5.17 (LTS) and 12.3.6...

8.7CVSS5.8AI score0.00027EPSS
Exploits0References4
EUVD
EUVD
added yesterday6 views

EUVD-2026-45274

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction,...

8.7CVSS5.8AI score0.00027EPSS
Exploits0References4
CVE
CVE
added yesterday30 views

CVE-2026-45260

Pimcore WebDAV MOVE vulnerability (CVE-2026-45260) enables remote asset deletion/overwrite due to missing authentication in the WebDAV controller and Tree::move() path. The WebDAV endpoint at /asset/webdav{path} proceeds to mutate assets before validating the current user or permissions, and Asse...

8.1CVSS5.3AI score0.00141EPSS
Exploits0References4
Cvelist
Cvelist
added yesterday6 views

CVE-2026-45260 Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and...

8.1CVSS0.00141EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-45260

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and...

8.1CVSS5.3AI score0.00141EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added yesterday3 views

EUVD-2026-45273

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and...

8.1CVSS5.3AI score0.00141EPSS
Exploits0References4
Cvelist
Cvelist
added yesterday7 views

CVE-2026-45703 Pimcore: WordExport Authorization Bypass for Unauthorized Document Export

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, the WordExport export flow in bundles/WordExportBundle/src/Controller/TranslationController.php only checks the wordexport feature permission and directly resolves attacker-controlled type/id input...

6.4CVSS0.00089EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-45703

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, the WordExport export flow in bundles/WordExportBundle/src/Controller/TranslationController.php only checks the wordexport feature permission and directly resolves attacker-controlled type/id input...

6.4CVSS5.3AI score0.00089EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder