pimcore/pimcore Security Advisories for v11.5.0-RC2 (6)
-
[MEDIUM] Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause
PKSA-8x4n-f9v2-4s1d CVE-2026-27461 GHSA-vxg3-v4p6-f3fp
Affected version: >=12.0.0,<12.3.3|<=11.5.14.1
Reported by:
GitHub -
[MEDIUM] Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing
PKSA-88th-p7sv-k9g4 CVE-2026-23494 GHSA-m3r2-724c-pwgf
Affected version: <=11.5.13|>=12.0.0-RC1,<=12.3
Reported by:
GitHub -
[HIGH] Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
PKSA-9ss4-dj21-s7vh CVE-2026-23493 GHSA-q433-j342-rp9h
Affected version: <=11.5.13|>=12.0.0-RC1,<=12.3
Reported by:
GitHub -
[HIGH] Pimcore Has an Incomplete Patch for CVE-2023-30848
PKSA-hpvp-zv9c-rrr4 CVE-2026-23492 GHSA-qvr7-7g55-69xj
Affected version: <=11.5.13|>=12.0.0-RC1,<12.3.1
Reported by:
GitHub -
[MEDIUM] Pimcore Vulnerable to SQL Injection in getRelationFilterCondition
PKSA-2dyk-44y3-3rzz CVE-2025-27617 GHSA-qjpx-5m2p-5pgh
Affected version: <11.5.4
Reported by:
GitHub -
[HIGH] Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
PKSA-1njj-d9p2-mxd2 CVE-2024-11954 GHSA-xr3m-6gq6-22cg
Affected version: >=11.4.2,<11.5.3
Reported by:
GitHub