CVE-2026-5394

Name of the Vulnerable Software and Affected Versions Pimcore version 12.3.3

Description An authenticated administrative user with permissions to import or save DataObject class definitions can inject malicious composite index metadata. This action allows the execution of unintended SQL commands in the backend, leading to a SQL injection, which is a technique where an attacker inserts malicious SQL code into a query to manipulate a database.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.