Admin classic bundle

This hub aggregates every CVE we track for Admin classic bundle, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 14 most recently published vulnerabilities affecting Admin classic bundle.

• CVE-2026-23495Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing4.3Jan 15, 2026
• CVE-2025-30166Pimcore's Admin Classic Bundle allows HTML Injection4.8Apr 8, 2025
• CVE-2025-24980Pimcore Admin Classic Bundle allows user enumeration5.3Feb 7, 2025
• CVE-2024-41109Pimcore vulnerable to disclosure of system and database information behind /admin firewall6.3Jul 30, 2024
• CVE-2024-25625Pimcore Host Header Injection in user invitation link8.1Feb 19, 2024
• CVE-2024-24822Pimcore Admin Classic Bundle permissions are not getting checked when working with tags6.5Feb 7, 2024
• CVE-2024-23646Pimcore Admin Classic Bundle SQL Injection in Admin download files as zip8.8Jan 24, 2024
• CVE-2024-23648Pimcore Admin Classic Bundle host header injection in the password reset8.8Jan 24, 2024
• CVE-2023-49075Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls8.4Nov 28, 2023
• CVE-2023-47636Full Path Disclosure via re-export document in pimcore/admin-ui-classic-bundle5.3Nov 15, 2023
• CVE-2023-46722Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews6.1Oct 31, 2023
• CVE-2023-5844Unverified Password Change in pimcore/admin-ui-classic-bundle7.2Oct 30, 2023
• CVE-2023-42817Cross-site Scripting (XSS) in pimcore admin-ui-classic-bundle translations5.4Sep 25, 2023
• CVE-2023-37280Pimcore admin UI vulnerable to Cross-site Scripting in two factor authentication setup page5.0Jul 11, 2023