CVE-2026-23495

The CVE-2026-23495 affects Pimcore’s Admin Classic Bundle. The API endpoint that lists Predefined Properties (metadata definitions used across documents, assets, and objects) lacked proper server-side authorization prior to Pimcore versions 2.2.3 and 1.7.16. An authenticated backend user without ...

EUVD-2024-0338

Malicious code in bioql PyPI...

EUVD-2025-10314

Malicious code in bioql PyPI...

EUVD-2023-2672

Malicious code in bioql PyPI...

EUVD-2023-2080

Malicious code in bioql PyPI...

EUVD-2024-0388

Malicious code in bioql PyPI...

EUVD-2024-0490

Malicious code in bioql PyPI...

CVE-2024-24822

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually...

CVE-2023-42817

Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” from “%suggest% is parsed by sprintf even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access...

CVE-2023-37280

Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This...

CVE-2023-47636

The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure FPD vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the loadfile within a SQL Injection query to view the page...

Pimcore Admin Classic Bundle Cross-Site Scripting Vulnerability

Pimcore Admin Classic Bundle is a Pimcore open source a core bundle of Pimcore. The Pimcore Admin Classic Bundle suffers from a cross-site scripting vulnerability that stems from HTML injection, which can be exploited by an attacker to steal session cookies...

CVE-2025-30166

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page...

PT-2025-15421 · Pimcore · Pimcore Admin Classic Bundle

Name of the Vulnerable Software and Affected Versions: Pimcore Admin Classic Bundle versions prior to 1.7.6 Description: An HTML injection issue in Pimcore's Admin Classic Bundle allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the adm...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the reset password link sent through the Forgot Password functionality. An attacker can determine valid user accounts by observing error messages that disclose whether an account exists. Remediation Upgrade...

CVE-2024-25625

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in pimcore/admin-ui-classic-bundle prior to version 1.3.4. The vulnerability involves a Host Header Injection in the invitationLinkAction function of the UserController,...

Pimcore Admin Classic Bundle permissions are not getting checked when working with tags

Impact You can create, delete etc. tags without having the permission to do so. This vulnerability allows an attacker to perform broken access control and add tags to admin panel and add dumy data. One can do this as intruder and add text parameters with random numbers and this will effect...

CVE-2024-23646 Pimcore Admin Classic Bundle SQL Injection in Admin download files as zip

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter selectedIds is susceptible to SQL Injection. Any backend user with very basic...

CVE-2023-47636 Full Path Disclosure via re-export document in pimcore/admin-ui-classic-bundle

The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure FPD vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the loadfile within a SQL Injection query to view the page...

PT-2023-30526 · Pimcore · Pimcore Admin Classic Bundle

Name of the Vulnerable Software and Affected Versions: Pimcore Admin Classic Bundle versions prior to 1.2.1 Description: The issue allows an attacker to see the path to the webroot/file, which can be used in conjunction with other vulnerabilities, such as SQL Injection using the load file query, ...