CVE-2026-5394

UNKNOWN 0.0

Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.

CWE	CWE-89
Vendor	pimcore
Product	pimcore
Published	Apr 27, 2026

Stay Ahead of the Next One

Get instant alerts for pimcore pimcore

Be the first to know when new unknown vulnerabilities affecting pimcore pimcore are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

pimcore / pimcore

12.3.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

fluidattacks.com: https://fluidattacks.com/es/advisories/dragons github.com: https://github.com/pimcore/pimcore

Credits

Oscar Naveda Fluid Attacks' AI SAST Scanner