CVE-2026-11407

HIGH 7.2

Pimcore CMS 12.3.8 Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed

CVSS Score

7.2

EPSS Score

0.0%

EPSS Percentile

0th

Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig SecurityPolicy. Attackers can supply malicious Twig templates through the DataObject ClassDefinition Layout\Text component to perform arbitrary file reads, execute arbitrary database queries, and potentially achieve remote code execution via PHP object gadget chains, with the pimcore_* function wildcard further broadening the bypass to all Pimcore Twig functions.

CWE	CWE-1336
Vendor	pimcore gmbh
Product	pimcore cms/dxp
Published	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for pimcore gmbh pimcore cms/dxp

Be the first to know when new high vulnerabilities affecting pimcore gmbh pimcore cms/dxp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Pimcore GmbH / Pimcore CMS/DXP

0 ≤ 12.3.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pimcore/pimcore/pull/19193 github.com: https://github.com/pimcore/pimcore/commit/fffa7f6396329e88610db70a8652529bbc734892 vulncheck.com: https://www.vulncheck.com/advisories/pimcore-cms-twig-sandbox-bypass-via-securitypolicy-checkmethodallowed

Credits

Saidakbarxon Maxsudxonov