CVE-2026-27461

Name of the Vulnerable Software and Affected Versions Pimcore versions up to and including 11.5.14.1 Pimcore versions up to and including 12.3.2

Description Pimcore is an Open Source Data & Experience Management Platform. The filter query parameter in the dependency listing endpoints is processed without proper sanitization, allowing for potential database extraction. Specifically, the parameter is JSON-decoded and its value is directly incorporated into RLIKE clauses without adequate security measures. Successful exploitation requires administrative authentication. An attacker with admin panel access could potentially extract the entire database, including password hashes of other administrative users. The affected endpoints involve dependency listing functionality. The vulnerable parameter is filter query.

Recommendations Update to Pimcore version 12.3.3 or later.