Vendor
Pimcore Platform SQL Injection in DataObject Composite Index Handling
2 rules 1 TTP 1 CVEA SQL injection vulnerability exists in Pimcore Platform when handling DataObject composite indices during class definition import/save, allowing an authenticated administrative user to inject attacker-controlled composite index metadata, leading to unintended SQL execution in the backend, specifically via the `index_columns` element.
Pimcore CustomReports Share Bypass Vulnerability
1 rule 2 TTPsPimcore's CustomReports feature has a share bypass vulnerability due to inconsistent authorization checks between the report listing endpoint and the report detail endpoint, allowing low-privileged users to access report configurations without explicit sharing permissions.
Pimcore WebDAV Asset MOVE Missing Authorization Vulnerability
2 rules 2 TTPsPimcore's WebDAV asset endpoint exposes a `MOVE` operation without authentication, allowing unauthenticated remote attackers to delete assets if they know two existing asset paths in the same directory; Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce `rename`, `delete`, `create`, or `publish` permissions, leading to data loss, content integrity loss, and service disruption.
Pimcore Unsafe PHP Deserialization Vulnerability (CVE-2026-45162)
2 rules 1 TTPPimcore v11 and earlier is vulnerable to unsafe PHP deserialization in multiple locations due to missing `allowed_classes` restrictions when calling `unserialize()` on data from database columns and filesystem files; an attacker with control over serialized data sources (e.g., via SQL injection or file write vulnerabilities) can inject PHP gadget chains, leading to remote code execution.