CVE-2026-11407

Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed and checkPropertyAllowed implementations in the custom Twig SecurityPolicy. Attackers can...

EUVD-2026-37795

Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed and checkPropertyAllowed implementations in the custom Twig SecurityPolicy. Attackers can...

CVE-2026-23626

Kimai (time-tracking app) before v2.46.0 is vulnerable to an authenticated SSTI via the export template sandbox. The export policy uses DefaultPolicy, which imposes no restrictions on Twig tags, methods, or properties, allowing an attacker with export permissions to deploy a malicious Twig templa...

CVE-2026-23626

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

PT-2026-3401

Name of the Vulnerable Software and Affected Versions Kimai versions prior to 2.46.0 Description Kimai is a web-based multi-user time-tracking application. The export functionality utilizes a Twig sandbox with an overly permissive security policy DefaultPolicy, enabling arbitrary method calls on...