SQL Injection in Pimcore

CVE-2026-5394

An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.

Vulnerability class: SQL Injection

EPSS: 0.000 (1.4th percentile) — read the EPSS interpretation.

Affected products

Pimcore — versions 12.3.3

Weakness classification (CWE)

CWE-89 — SQL Injection

References

help@fluidattacks.com (third-party-advisory)
help@fluidattacks.com (product)
help@fluidattacks.com (patch)