Pimcore

This hub aggregates every CVE we track for Pimcore, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Pimcore.

• CVE-2026-5362Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering5.4Apr 27, 2026
• CVE-2026-27461Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause4.9Feb 24, 2026
• CVE-2026-23496Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization5.4Jan 15, 2026
• CVE-2026-23494Pimcore is Missing Function Level Authorization on "Static Routes" Listing4.3Jan 15, 2026
• CVE-2026-23495Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing4.3Jan 15, 2026
• CVE-2026-23493Pimcore ENV Variables and Cookie Informations are exposed in http_error_log8.6Jan 15, 2026
• CVE-2026-23492Pimcore has a Blind SQL Injection in Admin Search Find API due to an incomplete fix for CVE-2023-308488.8Jan 14, 2026
• CVE-2025-27617Pimcore Vulnerable to SQL Injection in getRelationFilterCondition8.8Mar 11, 2025
• CVE-2024-11956Pimcore customer-data-framework list sql injection4.7Jan 28, 2025
• CVE-2024-11954Pimcore Search Document cross site scripting2.4Jan 28, 2025
• CVE-2023-2332Stored Cross-site Scripting (XSS) in pimcore/pimcore4.8Nov 15, 2024
• CVE-2024-49370Change-Password via Portal-Profile sets PimcoreBackendUser password without hashing4.9Oct 23, 2024
• CVE-2024-32871Pimcore Vulnerable to Flooding Server with Thumbnail files7.5Jun 4, 2024
• CVE-2024-29197Pimcore Preview Documents are not restricted to logged in users anymore6.5Mar 26, 2024
• CVE-2023-49076Pimcore missing token/header to prevent CSRF4.3Nov 30, 2023