Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

pimcore — Vulnerabilities & Security Advisories 135

Browse all 135 CVE security advisories affecting pimcore. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Pimcore is an open-source digital experience platform primarily used for product information management and digital asset management. Its architecture, built on Symfony, exposes it to typical web application vulnerabilities. Historical Common Vulnerabilities and Exposures records indicate a prevalence of remote code execution, cross-site scripting, and privilege escalation flaws. These issues often stem from insufficient input validation and improper access controls within its content management modules. While no single catastrophic breach has defined its public history, the high volume of disclosed CVEs suggests persistent challenges in securing its complex feature set. Security assessments frequently highlight risks related to outdated dependencies and configuration errors. Organizations deploying this platform must prioritize rigorous patch management and continuous vulnerability scanning to mitigate the inherent risks associated with its extensive functionality and frequent updates.

Top products by pimcore: pimcore/pimcore pimcore admin-ui-classic-bundle pimcore/customer-data-framework customer-data-framework Pimcore Customer Data Framework Pimcore AdminBundle pimcore/data-hub perspective-editor pimcore/demo pimcore/admin-ui-classic-bundle ecommerce-framework-bundle
CVE IDTitleCVSSSeverityPublished
CVE-2026-5362 Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering — pimcoreCWE-79 5.4AIMediumAI2026-04-27
CVE-2026-5394 Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling — pimcoreCWE-89 7.2AIHighAI2026-04-27
CVE-2026-27461 Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause — pimcoreCWE-89 4.9 -2026-02-24
CVE-2026-23496 Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization — pimcoreCWE-284 5.4 Medium2026-01-15
CVE-2026-23494 Pimcore is Missing Function Level Authorization on "Static Routes" Listing — pimcoreCWE-284 4.3 Medium2026-01-15
CVE-2026-23495 Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing — pimcoreCWE-284 4.3 Medium2026-01-15
CVE-2026-23493 Pimcore ENV Variables and Cookie Informations are exposed in http_error_log — pimcoreCWE-532 8.6 High2026-01-15
CVE-2026-23492 Pimcore has a Blind SQL Injection in Admin Search Find API due to an incomplete fix for CVE-2023-30848 — pimcoreCWE-89 8.8 High2026-01-14
CVE-2025-30166 Pimcore's Admin Classic Bundle allows HTML Injection — admin-ui-classic-bundleCWE-79 5.4AIMediumAI2025-04-08
CVE-2025-27617 Pimcore Vulnerable to SQL Injection in getRelationFilterCondition — pimcoreCWE-89 8.8 -2025-03-11
CVE-2025-24980 Pimcore Admin Classic Bundle allows user enumeration — admin-ui-classic-bundleCWE-204 5.3 -2025-02-07
CVE-2024-11956 Pimcore customer-data-framework list sql injection — customer-data-frameworkCWE-89 4.7 Medium2025-01-28
CVE-2023-2332 Stored Cross-site Scripting (XSS) in pimcore/pimcore — pimcore/pimcoreCWE-79 5.4AIMediumAI2024-11-15
CVE-2024-49370 Change-Password via Portal-Profile sets PimcoreBackendUser password without hashing — pimcoreCWE-256 6.5AIMediumAI2024-10-23
CVE-2024-41109 Pimcore vulnerable to disclosure of system and database information behind /admin firewall — admin-ui-classic-bundleCWE-200 6.3 Medium2024-07-30
CVE-2024-32871 Pimcore Vulnerable to Flooding Server with Thumbnail files — pimcoreCWE-770 7.5 High2024-06-04
CVE-2024-29197 Pimcore Preview Documents are not restricted to logged in users anymore — pimcoreCWE-200 6.5 Medium2024-03-26
CVE-2024-25625 Pimcore Host Header Injection in user invitation link — admin-ui-classic-bundleCWE-74 8.1 High2024-02-19
CVE-2024-24822 Pimcore Admin Classic Bundle permissions are not getting checked when working with tags — admin-ui-classic-bundleCWE-862 6.5 Medium2024-02-07
CVE-2024-23646 Pimcore Admin Classic Bundle SQL Injection in Admin download files as zip — admin-ui-classic-bundleCWE-89 8.8 High2024-01-24
CVE-2024-23648 Pimcore Admin Classic Bundle host header injection in the password reset — admin-ui-classic-bundleCWE-74 8.8 High2024-01-24
CVE-2024-21667 Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access GDPR extracts — customer-data-frameworkCWE-284 6.5 Medium2024-01-11
CVE-2024-21666 Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access customers duplicates list — customer-data-frameworkCWE-284 6.5 Medium2024-01-11
CVE-2024-21665 Pimcore Ecommerce Framework Bundle Improper Access Control allows unprivileged user to access back-office orders list — ecommerce-framework-bundleCWE-284 4.3 Medium2024-01-11
CVE-2023-49076 Pimcore missing token/header to prevent CSRF — customer-data-frameworkCWE-352 4.3 Medium2023-11-30
CVE-2023-49075 Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls — admin-ui-classic-bundleCWE-308 8.5 High2023-11-28
CVE-2023-47636 Full Path Disclosure via re-export document in pimcore/admin-ui-classic-bundle — admin-ui-classic-bundleCWE-209 5.3 Medium2023-11-15
CVE-2023-47637 SQL Injection in Admin Grid Filter API in Pimcore — pimcoreCWE-89 8.8 High2023-11-15
CVE-2023-46722 Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews — admin-ui-classic-bundleCWE-80 6.1 Medium2023-10-31
CVE-2023-5873 Cross-site Scripting (XSS) - Stored in pimcore/pimcore — pimcore/pimcoreCWE-79 5.4 -2023-10-31

This page lists every published CVE security advisory associated with pimcore. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.