Stored Cross-Site Scripting Vulnerability in Pimcore by Pimcore
CVE-2026-5362

4.8MEDIUM

Key Information:

Vendor: Pimcore
Status: Pimcore
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-5362?

An authenticated user with edit permissions can exploit a flaw in Pimcore, allowing the injection of malicious HTML or JavaScript into document content. When the affected document is published and rendered, this can lead to the execution of arbitrary scripts in the context of legitimate users, making it a potential vector for further attacks or data compromise.

Affected Version(s)

pimcore Windows v12.3.3

References

https://fluidattacks.com/es/advisories/mago

third-party-advisory

https://github.com/pimcore/pimcore/

product

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 1, 2026

Credit

Oscar Naveda

Fluid Attacks' AI SAST Scanner

CVE-2026-5362 Data

JSON