What is CVE-2026-11407?

CVE-2026-11407 is a high-severity vulnerability in Pimcore Gmbh Cms/dxp, classified under Improper Neutralization of Special Elements Used in a Template Engine. CVSS score: 7.2/10. Published 2026-06-17.

How severe is CVE-2026-11407?

High severity. CVSS v3 base score is 7.2 out of 10.

Vulnerability in Pimcore Gmbh Cms/dxp

CVE-2026-11407

Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() imple…

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Pimcore Gmbh Cms/dxp — versions 0, fffa7f6396329e88610db70a8652529bbc734892

Weakness classification (CWE)

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine

References

disclosure@vulncheck.com (patch)
disclosure@vulncheck.com (issue-tracking)
disclosure@vulncheck.com (third-party-advisory)

Frequently asked questions

What is CVE-2026-11407?: CVE-2026-11407 is a high-severity vulnerability in Pimcore Gmbh Cms/dxp, classified under Improper Neutralization of Special Elements Used in a Template Engine. CVSS score: 7.2/10. Published 2026-06-17.
How severe is CVE-2026-11407?: High severity. CVSS v3 base score is 7.2 out of 10.