Sandbox Bypass Vulnerability in Pimcore CMS/DXP by Pimcore
CVE-2026-11407

8.6HIGH

Key Information:

Vendor

Pimcore Gmbh

Status
Pimcore Cms/dxp
Vendor
CVE Published:
17 June 2026

What is CVE-2026-11407?

A vulnerability in Pimcore CMS/DXP version 12.3.8 allows authenticated administrative users to bypass the sandboxing mechanisms intended to secure PHP object manipulation. By exploiting faulty implementations of the checkMethodAllowed() and checkPropertyAllowed() functions within the custom Twig SecurityPolicy, attackers can inject malicious Twig templates. This manipulation can lead to unauthorized file reads and the ability to execute arbitrary database queries. The vulnerability is further exacerbated by the usage of pimcore_* function wildcards, which gives attackers broader access to all Pimcore Twig functions, potentially leading to remote code execution through crafted PHP object gadget chains.

Affected Version(s)

Pimcore CMS/DXP 0 <= 12.3.8

Pimcore CMS/DXP fffa7f6396329e88610db70a8652529bbc734892

References

https://github.com/pimcore/pimcore/pull/19193
issue-tracking
https://github.com/pimcore/pimcore/commit/fffa7f6396329e8...
patch
https://www.vulncheck.com/advisories/pimcore-cms-twig-san...
third-party-advisory

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Saidakbarxon Maxsudxonov
.