Pimcore Platform v12.3.3 Stored XSS Vulnerability (CVE-2026-5362) Analysis

Pimcore Platform v12.3.3 Stored XSS Vulnerability Summary Vulnerability Overview Vulnerability Name: Pimcore Platform v12.3.3 – Stored XSS in Document Editable Embed rendering Vulnerability Type: Stored Cross-Site Scripting (Stored XSS) CVSS Score: 4.8 (Medium) CVE ID: CVE-2026-5362 Discoverer: Oscar Naveda (Fluid Attacks AI SAST Scanner) Vulnerability Principle: An attacker with the ability to edit document content can store malicious HTML/JavaScript in the "Document editable" field. When the page is published, the server renders user input directly as trusted HTML without escaping. Specifically, the function returns the input text as-is when processing unsupported URLs, allowing malicious scripts to execute. Impact Scope Affected Software: Pimcore Platform Affected Versions: v12.3.3 Prerequisites: The attacker must have permission to edit document content. Impact: Attackers can inject and execute arbitrary JavaScript code, potentially leading to session hijacking, data theft, or page tampering. Remediation Current Status: No official patch is currently available. Recommendation: Wait for the official release of a fixed version, or implement strict input validation and output escaping at the application layer. POC Code 1. Application-Level POC (HTML Payload) HTML-only payload: Mixed provider payload: 2. Dependency-Level POC (PHP Code) Used to verify the behavior of the underlying dependency:

Goal Reached Thanks to every supporter — we hit 100%!

Pimcore Platform v12.3.3 Stored XSS Vulnerability (CVE-2026-5362) Analysis