CVE-2026-11407 Pimcore GmbH CVE debrief

Who should care

Administrators and security teams using Pimcore CMS/DXP version 12.3.8 should be aware of this vulnerability and take immediate action to mitigate the risk. Authenticated administrative attackers can exploit this vulnerability to execute arbitrary methods on PHP objects, potentially leading to remote code execution.

Technical summary

The vulnerability exists in the custom Twig SecurityPolicy of Pimcore CMS/DXP version 12.3.8. Specifically, the empty implementations of checkMethodAllowed() and checkPropertyAllowed() allow attackers to bypass the sandbox and execute arbitrary methods on PHP objects. This can be achieved by supplying malicious Twig templates through the DataObject ClassDefinition Layout/Text component. The vulnerability can be used to perform arbitrary file reads, execute arbitrary database queries, and potentially achieve remote code execution via PHP object gadget chains.

Defensive priority

high

Recommended defensive actions

• Update Pimcore CMS/DXP to a version that fixes the vulnerability
• Restrict access to the DataObject ClassDefinition Layout/Text component
• Implement additional security measures to monitor and detect potential attacks
• Review and update the custom Twig SecurityPolicy to prevent similar vulnerabilities
• Limit the use of pimcore_* functions in Twig templates
• Regularly review and update dependencies to ensure the latest security patches are applied

Evidence notes

The information provided is based on the CVE record and NVD details. The vulnerability was published on June 17, 2026, and modified on June 18, 2026. The CVSS score is 8.6, indicating a HIGH severity vulnerability.

Official resources