pimcore/pimcore Security Advisories for v11.0.0-RC2 (9)
-
[MEDIUM] Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause
PKSA-8x4n-f9v2-4s1d CVE-2026-27461 GHSA-vxg3-v4p6-f3fp
Affected version: >=12.0.0,<12.3.3|<=11.5.14.1
Reported by:
GitHub -
[MEDIUM] Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing
PKSA-88th-p7sv-k9g4 CVE-2026-23494 GHSA-m3r2-724c-pwgf
Affected version: <=11.5.13|>=12.0.0-RC1,<=12.3
Reported by:
GitHub -
[HIGH] Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
PKSA-9ss4-dj21-s7vh CVE-2026-23493 GHSA-q433-j342-rp9h
Affected version: <=11.5.13|>=12.0.0-RC1,<=12.3
Reported by:
GitHub -
[HIGH] Pimcore Has an Incomplete Patch for CVE-2023-30848
PKSA-hpvp-zv9c-rrr4 CVE-2026-23492 GHSA-qvr7-7g55-69xj
Affected version: <=11.5.13|>=12.0.0-RC1,<12.3.1
Reported by:
GitHub -
[MEDIUM] Pimcore Vulnerable to SQL Injection in getRelationFilterCondition
PKSA-2dyk-44y3-3rzz CVE-2025-27617 GHSA-qjpx-5m2p-5pgh
Affected version: <11.5.4
Reported by:
GitHub -
[HIGH] Flooding Server with Thumbnail files
PKSA-2ws5-72xf-nzn8 CVE-2024-32871 GHSA-277c-5vvj-9pwx
Affected version: >=11.0.0,<11.2.4
Reported by:
GitHub -
[MEDIUM] Pimcore TinyMCE Bundle - tinymce CVE-2024-29203, CVE-2024-29881
PKSA-8cp9-pysj-5xkk GHSA-vjwg-28gv-pm8h
Affected version: >=11.0.0-ALPHA1,<11.1.6.5|>=11.2.0,<11.2.3
Reported by:
GitHub -
[HIGH] Pimcore SQL Injection in Admin Grid Filter API through Multiselect::getFilterConditionExt()
PKSA-d1ts-d4yt-xjz4 CVE-2023-47637 GHSA-72hh-xf79-429p
Affected version: <11.1.1
Reported by:
GitHub -
[MEDIUM] Pimcore Cross-site Scripting vulnerability
PKSA-17vx-xhyz-z3x1 CVE-2023-5873 GHSA-j59v-hh4p-q92m
Affected version: <11.1.0
Reported by:
GitHub