Object Injection Vulnerability in Pimcore Open Source Management Platform
CVE-2026-45162

8HIGH

Key Information:

Vendor

Pimcore

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-45162?

Pimcore, an open-source data and experience management platform, has a vulnerability where multiple components incorrectly use PHP's unserialize() function on untrusted data sources. This oversight allows for potential object injection and remote code execution if an attacker can manipulate the serialized data. The vulnerable code is located in various files, including Authentication, CustomLayout, and Dashboard helpers. To address this issue, it is important for users to upgrade to the fixed versions (11.5.17 LTS and 12.3.7) to safeguard against these exploitation risks.

Affected Version(s)

pimcore < 11.5.17 < 11.5.17

pimcore >= 12.0.0, < 12.3.7 < 12.0.0, 12.3.7

References

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.