CVE-2026-23494 Pimcore is Missing Function Level Authorization on "Static Routes" Listing

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...

EUVD-2015-4445

Malware in sbrugna...

EUVD-2022-4373

Malicious code in bioql PyPI...

EUVD-2022-4131

Malicious code in bioql PyPI...

EUVD-2023-1841

Malicious code in bioql PyPI...

EUVD-2023-0672

Malicious code in bioql PyPI...

CVE-2023-30849

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually...

CVE-2023-28106

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually...

CVE-2019-18982

bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header...

GHSA-XR3M-6GQ6-22CG Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document

Summary A Stored Cross-Site Scripting XSS vulnerability in PIMCORE allows remote attackers to inject arbitrary web script or HTML via the PDF upload functionality. This can result in the execution of malicious scripts in the context of the user's browser when the PDF is viewed, leading to potenti...

CVE-2023-49076 Pimcore missing token/header to prevent CSRF

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5...

CVE-2023-28108 Pimcore has improper quoting of columns when calling methods "getByUuid" & "exists" on UUID Model

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in...

CVE-2023-28108 Pimcore has improper quoting of columns when calling methods "getByUuid" & "exists" on UUID Model

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in...

CVE-2022-3255 Cross-site Scripting (XSS) - Reflected in pimcore/pimcore

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify...

Design/Logic Flaw

Pimcore before 6.2.2 lacks brute force protection for the 2FA token...

CVE-2019-18981

Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification...

CVE-2019-16317

In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different...

Design/Logic Flaw

An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to...

CVE-2019-10867

An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to...

Directory Traversal

pimcore is vulnerable to directory traversal attacks. The library does not properly validate the filepath, allowing a malicious user to pass a filepath without the file to the application...