CVE-2026-5394

An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3...

CVE-2026-5362 Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering

An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3...

CVE-2023-49076

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5...

CVE-2022-0263

Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7...

CVE-2022-0893

Cross-site Scripting XSS - Stored in GitHub repository pimcore/pimcore prior to 10.4.0...

EUVD-2023-2153

Malicious code in bioql PyPI...

CVE-2023-1115

Cross-site Scripting XSS - Stored in GitHub repository pimcore/pimcore prior to 10.5.18...

CVE-2023-3819

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4...

CVE-2023-2339 Cross-site Scripting (XSS) - Reflected in pimcore/pimcore

Cross-site Scripting XSS - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21...

CVE-2023-2323 Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Cross-site Scripting XSS - Stored in GitHub repository pimcore/pimcore prior to 10.5.21...

PT-2023-16837 · Pimcore · Pimcore

Name of the Vulnerable Software and Affected Versions: pimcore/pimcore versions prior to 11.0.0 Description: The issue is related to Cross-site Scripting XSS - Reflected. This is a security concern where an attacker can inject malicious scripts into a website, potentially leading to unauthorized...

GHSA-MXH3-2699-98G9 Cross-site Scripting pimcore

pimcore version 10.3.0 and prior is vulnerable to cross-site scripting...

Arbitrary File Upload

Overview pimcore/pimcore is a content & product management framework CMS/PIM/E-Commerce. Affected versions of this package are vulnerable to Arbitrary File Upload. It is possible to for a user to upload a .php file when creating a permission on the assets feature, resulting in arbitrary code...