[HIGH] Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter

PKSA-v29g-sqpm-mznn CVE-2026-44741 GHSA-h4ph-crvj-9h92

Affected version: <=2.3.5

Reported by:
GitHub

[MEDIUM] Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing

PKSA-nx96-fm8s-mdqg CVE-2026-23495 GHSA-hqrp-m84v-2m2f

Affected version: <=1.7.15|>=2.0.0-RC1,<=2.2.2

Reported by:
GitHub

[LOW] Pimcore's Admin Classic Bundle allows HTML Injection

PKSA-p8mb-27jx-rxgt CVE-2025-30166 GHSA-x82r-6j37-vrgg

Affected version: <1.7.6

Reported by:
GitHub