CVE-2026-11407

Name of the Vulnerable Software and Affected Versions Pimcore CMS/DXP version 12.3.8

Description A sandbox bypass allows authenticated administrative attackers to execute arbitrary methods on PHP objects. This occurs due to empty checkMethodAllowed() and checkPropertyAllowed() implementations within the custom Twig SecurityPolicy. By supplying malicious Twig templates through the 'DataObject ClassDefinition LayoutText' component, attackers can perform arbitrary file reads and execute arbitrary database queries. Furthermore, the pimcore * function wildcard extends the bypass to all Pimcore Twig functions, potentially leading to remote code execution via PHP object gadget chains.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.