Skip to content
Threat Feed

Vendor

Pimcore

4 briefs RSS
high advisory

Pimcore Platform SQL Injection in DataObject Composite Index Handling

A SQL injection vulnerability exists in Pimcore Platform when handling DataObject composite indices during class definition import/save, allowing an authenticated administrative user to inject attacker-controlled composite index metadata, leading to unintended SQL execution in the backend, specifically via the `index_columns` element.

pimcore/pimcore sql-injection web-application pimcore
2r 1t 1c
medium advisory

Pimcore CustomReports Share Bypass Vulnerability

Pimcore's CustomReports feature has a share bypass vulnerability due to inconsistent authorization checks between the report listing endpoint and the report detail endpoint, allowing low-privileged users to access report configurations without explicit sharing permissions.

Pimcore CustomReports privilege-escalation defense-evasion web-application
1r 2t
high advisory

Pimcore WebDAV Asset MOVE Missing Authorization Vulnerability

Pimcore's WebDAV asset endpoint exposes a `MOVE` operation without authentication, allowing unauthenticated remote attackers to delete assets if they know two existing asset paths in the same directory; Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce `rename`, `delete`, `create`, or `publish` permissions, leading to data loss, content integrity loss, and service disruption.

pimcore/pimcore webdav asset-management missing-authorization pimcore
2r 2t
high advisory

Pimcore Unsafe PHP Deserialization Vulnerability (CVE-2026-45162)

Pimcore v11 and earlier is vulnerable to unsafe PHP deserialization in multiple locations due to missing `allowed_classes` restrictions when calling `unserialize()` on data from database columns and filesystem files; an attacker with control over serialized data sources (e.g., via SQL injection or file write vulnerabilities) can inject PHP gadget chains, leading to remote code execution.

pimcore/pimcore +1 deserialization remote code execution php
2r 1t