pkg:Packagist/pimcore/pimcore

All known vulnerabilities

• CRITICAL9.8CVE-2022-39365RCE vulnerability in Pimcore/Mail & Dynamic Text Layout
  from 0, < 10.5.9
• CRITICAL9.8CVE-2019-18981Pimcore Access Control Issues
  from 0, < 6.2.2
• CRITICAL9.8CVE-2019-18985Pimcore 2FA Vulnerable to Brute Forcing
  from 0, < 6.2.2
• HIGH8.8CVE-2026-23492Pimcore Has an Incomplete Patch for CVE-2023-30848
  >= 12.0.0-RC1, < 12.3.1
• HIGH8.8CVE-2023-47637Pimcore SQL Injection in Admin Grid Filter API through Multiselect::getFilterConditionExt()
  from 0, < 11.1.1
• HIGH8.8CVE-2023-2338SQL Injection in AssetController
  from 0, < 10.5.21
• HIGH8.8CVE-2023-30850SQL Injection in Admin Translations API
  from 0, < 10.5.21
• HIGH8.8CVE-2023-30849SQL Injection in Translation Export API
  from 0, < 10.5.21
• HIGH8.8CVE-2023-30848SQL Injection in Admin Search Find API
  from 0, < 10.5.21
• HIGH8.8CVE-2023-25240SameSite Attribute vulnerability in pimCore
  from 0, < 10.5.16
• HIGH8.8CVE-2019-16317Pimcore RCE via PHAR upload
  from 0, < 5.7.1
• HIGH8.8CVE-2019-16318Pimcore Unrestricted Upload of File with Dangerous Type
  from 0, < 5.7.1
• HIGH8.8CVE-2018-14057Pimcore CSRF Vulnerability
  from 0, < 5.3.0
• HIGH8.8CVE-2019-10867Pimcore Unserialize Remote Code Execution
  from 0, < 5.7.1
• HIGH8.8CVE-2021-23405SQL injection in pimcore/pimcore
  from 0, < 10.0.7
• HIGH8.7CVE-2026-44739Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration
  from 0, < 12.3.6
• HIGH8.6CVE-2026-23493Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
  >= 12.0.0-RC1, < 12.3.1
• HIGH8.3CVE-2022-0258pimcore is vulnerable to SQL Injection
  from 0, < 10.2.9
• HIGH8.1CVE-2026-45260Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
  from 0, < 12.3.7
• HIGH8.1CVE-2024-11954Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
  >= 11.4.2, < 11.5.3
• HIGH8.1CVE-2022-31092Improper quoting of columns when using setOrderBy() or setGroupBy() on listing classes in Pimcore
  from 0, < 10.4.4
• HIGH8.0CVE-2026-45162Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
  from 0, < 12.3.7
• HIGH8.0CVE-2021-39166Improper Neutralization of Text-Values in Object Version Preview
  from 0, < 10.1.2
• HIGH8.0CVE-2021-39170Improper Encoding or Escaping of Output in Asset Metadata Component
  from 0, < 10.1.2
• HIGH7.9CVE-2023-28108Improper quoting of columns when calling methods "getByUuid" & "exists" on UUID Model
  from 0, < 10.5.19
• HIGH7.8CVE-2022-0263Unrestricted Upload of File with Dangerous Type in pimcore
  from 0, < 10.2.7
• HIGH7.6CVE-2023-3819Pimcore vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
  from 0, < 10.6.4
• HIGH7.5CVE-2024-32871Flooding Server with Thumbnail files
  >= 11.0.0, < 11.2.4
• HIGH7.5CVE-2019-18986Pimcore Discloses Usernames In Use
  from 0, < 6.2.2
• HIGH7.5CVE-2022-1429SQL Injection found in Pimcore
  from 0, < 10.3.6
• HIGH7.5CVE-2022-1339SQL Injection in Pimcore
  from 0, < 10.3.5
• HIGH7.5CVE-2022-1219SQL Injection in Pimcore
  from 0, < 10.3.5
• HIGH7.2CVE-2023-3820Pimcore vulnerable to SQL Injection in Dataobjects sorting
  from 0, < 10.6.4
• HIGH7.2CVE-2023-3673Pimcore SQL Injection vulnerability
  from 0, < 10.5.24
• HIGH7.2CVE-2020-7759SQL Injection in pimcore
  >= 6.7.2, < 6.8.3
• HIGH7.1CVE-2021-23340Path traversal in pimcore/pimcore
  from 0, < 6.8.8
• MEDIUM6.8CVE-2023-2616Pimcore Cross-site Scripting (XSS) in Static Routes name field
  from 0, < 10.5.21
• MEDIUM6.8CVE-2023-2615Pimcore Cross-site Scripting (XSS) in Predefined Properties delete
  from 0, < 10.5.21
• MEDIUM6.8CVE-2023-2323Cross-site Scripting (XSS) in Ecommerce Pricing Rules name field
  from 0, < 10.5.21
• MEDIUM6.8CVE-2022-3255Pimcore vulnerable to cross site scripting
  from 0, < 10.5.7
• MEDIUM6.8CVE-2022-1351Cross-site Scripting in Pimcore
  from 0, < 10.4
• MEDIUM6.7CVE-2022-2796Pimcore Cross-site Scripting (XSS)
  from 0, < 10.5.4
• MEDIUM6.6CVE-2022-0262Cross-site Scripting in pimcore
  from 0, < 10.2.7
• MEDIUM6.6CVE-2021-4139Cross-site Scripting in pimcore
  from 0, < 10.2.7
• MEDIUM6.5CVE-2023-2983Pimcore Privilege Defined With Unsafe Actions vulnerability
  from 0, < 10.5.23
• MEDIUM6.5CVE-2023-30855Pimcore Path Traversal Vulnerability in AdminBundle/Controller/Reports/CustomReportController.php
  from 0, < 10.5.18
• MEDIUM6.5CVE-2023-2336Path Traversal in Asset "import from server" option
  from 0, < 10.5.21
• MEDIUM6.5CVE-2023-1578Pimcore Remote Code Execution vulnerability in Search function
  from 0, < 10.5.19
• MEDIUM6.5CVE-2018-14058Pimcore SQLi Vulnerability
  from 0, < 5.3.0
• MEDIUM6.5CVE-2022-0665Path traversal in pimcore
  from 0, < 10.3.2
• MEDIUM6.5CVE-2019-10763Data leakage via SQL Injection in Pimcore
  from 0, < 6.3.0
• MEDIUM6.4CVE-2026-45703Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export
  from 0, < 12.3.7
• MEDIUM6.4CVE-2022-0565Cross-site Scripting in pimcore
  from 0, < 10.3.1
• MEDIUM6.3CVE-2023-38708Pimcore Path Traversal Vulnerability in AssetController:importServerFilesAction
  from 0, < 10.6.7
• MEDIUM6.3CVE-2023-2984Pimcore vulnerable to Pre-Auth Path Traversal in pimcore_log parameter
  from 0, < 10.5.22
• MEDIUM6.3CVE-2023-0827Cross-site Scripting in pimcore
  from 0, < 1.5.17
• MEDIUM6.2CVE-2023-28438Pimcore vulnerable to improper quoting of filters in Custom Reports
  from 0, < 10.5.19
• MEDIUM6.1CVE-2023-3821Pimcore Cross-site Scripting vulnerability
  from 0, < 10.6.4
• MEDIUM6.1CVE-2023-2341Cross-site Scripting (XSS) in Admin Login too many attempts notice
  from 0, < 10.5.21
• MEDIUM6.1CVE-2023-28429Pimcore has Cross-site Scripting vulnerability in DataObject tooltip field
  from 0, < 10.5.19
• MEDIUM6.1CVE-2019-18982Pimcore Cross-site Scripting (XSS) vulnerability
  from 0, < 6.3.0
• MEDIUM6.1CVE-2019-18656Pimcore XSS Vulnerability
  from 0, < 6.3.0
• MEDIUM6.1CVE-2021-4084Cross-site Scripting in pimcore
  from 0, < 10.2.6
• MEDIUM6.1CVE-2021-4081pimcore is vulnerable to Cross-site Scripting
  from 0, < 10.2.6
• MEDIUM6.0CVE-2023-3822Pimcore Cross-site Scripting vulnerability
  from 0, < 10.6.4
• MEDIUM5.4CVE-2023-5873Pimcore Cross-site Scripting vulnerability
  from 0, < 11.1.0
• MEDIUM5.4CVE-2023-4453Pimcore Cross-site Scripting (XSS) vulnerability in DataObject datetime fields
  from 0, < 10.6.8
• MEDIUM5.4CVE-2023-2730Pimcore Cross-site Scripting vulnerability
  from 0, < 10.3.3
• MEDIUM5.4CVE-2023-2361Cross-site Scripting (XSS) in pimcore
  from 0, < 10.5.21
• MEDIUM5.4CVE-2023-2340Cross-site Scripting (XSS) in DataObject columns grid
  from 0, < 10.5.21
• MEDIUM5.4CVE-2023-2339Cross-site Scripting (XSS) in DataObject Any Getter grid operator
  from 0, < 10.5.21
• MEDIUM5.4CVE-2023-2342Cross-site Scripting (XSS) in Website Settings name field
  from 0, < 10.5.21
• MEDIUM5.4CVE-2023-2343Cross-site Scripting (XSS) in DataObject Classification Store
  from 0, < 10.5.21
• MEDIUM5.4CVE-2023-1703pimcore is vulnerable to cross-site scripting in Composite indices key field
  from 0, < 10.5.20
• MEDIUM5.4CVE-2023-1515Pimcore vulnerable to Cross-site Scripting (XSS) in Redirects
  from 0, < 10.5.19
• MEDIUM5.4CVE-2023-1429Cross-site Scripting (XSS) in Document Types
  from 0, < 10.5.19
• MEDIUM5.4CVE-2023-1116Pimcore vulnerable to Cross Site Scripting in Email Blacklist
  from 0, < 10.5.18
• MEDIUM5.4CVE-2023-1117Pimcore vulnerable to Cross Site Scripting in image/video thumbnail config
  from 0, < 10.5.18
• MEDIUM5.4CVE-2023-1115Pimcore vulnerable to Cross Site Scripting in Documents Link Editable
  from 0, < 10.5.18
• MEDIUM5.4CVE-2023-1067Pimcore vulnerable to Cross-site Scripting
  from 0, <= 10.5.17
• MEDIUM5.4CVE-2023-23937Pimcore contains Unrestricted Upload of File with Dangerous Type
  from 0, < 10.5.16
• MEDIUM5.4CVE-2023-0323pimcore is vulnerable to cross-site scripting via "title field " in data objects
  from 0, < 10.5.14
• MEDIUM5.4CVE-2022-3211Pimcore vulnerable to stored stored Cross-site Scripting via`properties` when creating new users
  from 0, < 10.5.6
• MEDIUM5.4CVE-2018-14059Pimcore XSS Vulnerability
  from 0, < 5.3.0
• MEDIUM5.4CVE-2022-0911Cross-site Scripting in Pimcore
  from 0, < 10.4.0
• MEDIUM5.4CVE-2022-0704Cross-site Scripting in Pimcore
  from 0, < 10.4.0
• MEDIUM5.4CVE-2022-0705Cross-site Scripting in Pimcore
  from 0, < 10.4.0
• MEDIUM5.4CVE-2022-0894Cross-site Scripting in Pimcore
  from 0, < 10.4.0
• MEDIUM5.4CVE-2022-0893Cross-site Scripting in Pimcore
  from 0, < 10.4.0
• MEDIUM5.4CVE-2022-0831Cross-site Scripting in Pimcore
  from 0, < 10.3.3
• MEDIUM5.4CVE-2022-0832Cross-site Scripting in Pimcore
  from 0, < 10.3.3
• MEDIUM5.4CVE-2022-0509Cross-site Scripting in pimcore
  from 0, < 10.3.1
• MEDIUM5.4CVE-2022-0510Cross-site Scripting pimcore
  from 0, < 10.3.1
• MEDIUM5.4CVE-2022-0348Cross-site Scripting in pimcore
  from 0, < 10.2.10
• MEDIUM5.4CVE-2022-0251Cross-site Scripting in Pimcore
  from 0, < 10.2.10
• MEDIUM5.4CVE-2022-0260Cross-site Scripting in pimcore
  from 0, < 10.2.9
• MEDIUM5.4CVE-2022-0257pimcore is vulnerable to Cross-site Scripting
  from 0, < 10.2.9
• MEDIUM5.4CVE-2022-0256pimcore is vulnerable to Cross-site Scripting
  from 0, < 10.2.9
• MEDIUM5.4CVE-2022-0285Cross-site Scripting in pimcore
  from 0, < 10.2.9
• MEDIUM5.3CVE-2021-39189Observable Response Discrepancy in Lost Password Service
  from 0, < 10.1.3
• MEDIUM5.2CVE-2023-2328Cross-site Scripting (XSS) in DataObjects QuantityValue Unit Definition
  from 0, < 10.5.21
• MEDIUM5.2CVE-2023-2322Cross-site Scripting (XSS) in Document Properties Parameter
  from 0, < 10.5.21
• MEDIUM4.8CVE-2023-2630Pimcore Cross-site Scripting (XSS) vulnerability in Admin Translations
  from 0, < 10.5.21
• MEDIUM4.8CVE-2023-1517Pimcore has Cross site Scripting vulnerability in Schedule tab of Documents
  from 0, < 10.5.19
• MEDIUM4.8CVE-2023-28106Cross-site Scripting (XSS) in UrlSlug Data type
  from 0, < 10.5.19
• MEDIUM4.8CVE-2023-1312pimcore is vulnerable to cross-site scripting
  from 0, < 10.5.19
• MEDIUM4.8CVE-2023-1286Cross-site Scripting (XSS) in pimcore/pimcore
  from 0, < 10.5.19
• MEDIUM4.4CVE-2023-30852Arbitrary File Read in Admin JS CSS files
  from 0, < 10.5.21
• MEDIUM4.3CVE-2026-23494Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing
  >= 12.0.0-RC1, < 12.3.1
• MEDIUM4.3CVE-2021-4146Business Logic Errors in pimcore
  from 0, < 10.2.9
• MEDIUM4.3CVE-2021-4082pimcore is vulnerable to Cross-Site Request Forgery (CSRF)
  from 0, < 10.2.6
• MEDIUM4.0CVE-2023-2332Cross-site Scripting (XSS) in Conditions tab of Pricing Rules
  from 0, < 10.5.21
• MEDIUM4.0CVE-2023-2327Cross-site Scripting (XSS) in pimcore via DataObject Class date fields
  from 0, < 10.5.21
• —CVE-2026-45704Pimcore has a CustomReports Share Bypass
  from 0, < 12.3.6
• —CVE-2026-5362Pimcore has an authenticated Cross-site Scripting issue
• —CVE-2026-5394Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save
  from 0, < 12.3.7
• —CVE-2026-5394Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save
• —CVE-2026-27461Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause
  from 0, <= 11.5.14.1
• —CVE-2025-27617Pimcore Vulnerable to SQL Injection in getRelationFilterCondition
  from 0, < 11.5.4
• —CVE-2023-2614Pimcore Cross-site Scripting (XSS) in name field of Custom Reports
  from 0, < 10.5.21
• —CVE-2023-1701Pimcore vulnerable to Reflected XSS in Predefined Properties module in Settings
  from 0, < 10.5.20
• —CVE-2023-1702Pimcore Cross-site Scripting in Predefined Asset Metadata module in Settings
  from 0, < 10.5.20
• —CVE-2023-1704pimcore is vulnerable to cross-site scripting in translate module
  from 0, < 10.5.20
• —CVE-2014-2921Pimcore Vulnerable to PHP Object Injection Attacks
  >= 1.4.9, < 2.2.0
• —CVE-2021-37702Improper Neutralization of Formula Elements in a CSV File in pimcore/pimcore
  from 0, < 10.1.1