Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.0

CVE-2026-5394: Pimcore: Attackers can execute SQL code via data object definitions

CVE-2026-5394 GHSA-c8g3-x47w-8q7p GHSA-r2f4-ff2p-xc64 GHSA-c8g3-x47w-8q7p
Summary

An attacker who has administrative access to Pimcore can inject malicious code into data object definitions, allowing them to execute unintended SQL commands. This could potentially compromise data integrity or lead to unauthorized access. Update to the latest version of Pimcore to fix this issue.

What to do
  • Update pimcore pimcore to version 12.3.7.
  • Update pimcore pimcore/pimcore to version 12.3.7.
Affected software
Ecosystem VendorProductAffected versions
composer pimcore pimcore 12.3.3
<= 12.3.6
Fix: upgrade to 12.3.7
Packagist pimcore pimcore/pimcore < 12.3.7
Fix: upgrade to 12.3.7
Original title
Duplicate Advisory: Pimcore admin users can trigger SQL Injection
Original description
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-r2f4-ff2p-xc64. This link is maintained to preserve external references.

### Original Description
An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.

This issue affects pimcore: 12.3.3.
nvd CVSS4.0 7.0
Vulnerability type
CWE-89 SQL Injection
Published: 27 Apr 2026 · Updated: 15 Jun 2026 · First seen: 27 Apr 2026