PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45162 pimcore CVE debrief

CVE-2026-45162 is a remote code execution vulnerability in Pimcore, an Open Source Data & Experience Management Platform. The vulnerability exists due to multiple locations in Pimcore calling PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction. This allows an attacker to inject malicious objects and execute remote code if they can control the serialized data source. The affected locations include lib/Tool/Authentication.php, models/Site/Dao.php, models/DataObject/ClassDefinition/CustomLayout/Dao.php, models/Tool/TmpStore/Dao.php, models/Asset/WebDAV/Service.php, and admin-ui-classic-bundle/src/Helper/Dashboard.php. The vulnerability is fixed in Pimcore versions 11.5.17 (LTS) and 12.3.7.

Vendor
pimcore
Product
Unknown
CVSS
HIGH 8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-18
Advisory published
2026-07-17
Advisory updated
2026-07-18

Who should care

Organizations using Pimcore versions prior to 11.5.17 (LTS) or 12.3.7 should apply the patches immediately to prevent potential remote code execution attacks. Developers and administrators responsible for maintaining Pimcore installations are particularly concerned.

Technical summary

The vulnerability arises from insecure use of PHP's unserialize() function in multiple Pimcore components. Specifically, the following locations are affected: lib/Tool/Authentication.php, models/Site/Dao.php, models/DataObject/ClassDefinition/CustomLayout/Dao.php, models/Tool/TmpStore/Dao.php, models/Asset/WebDAV/Service.php, and admin-ui-classic-bundle/src/Helper/Dashboard.php. These locations unserialize data from database columns and filesystem files without properly restricting the classes that can be unserialized, allowing for object injection and remote code execution.

Defensive priority

High

Recommended defensive actions

  • Apply patches: Upgrade to Pimcore version 11.5.17 (LTS) or 12.3.7.
  • Inventory and monitoring: Check for and monitor usage of affected Pimcore components.
  • Compensating controls: Implement additional security measures such as web application firewalls (WAFs) to detect and prevent exploitation attempts.
  • Exception tracking: Monitor for unusual activity that may indicate attempted exploitation.
  • Retest: Verify vulnerability remediation and test for potential bypasses.

Evidence notes

The CVE record was published on 2026-07-17T19:17:14.167Z and has not been modified since then. The NVD entry is currently 8.0 HIGH. Multiple source references are provided, including commits, pull requests, and security advisories related to the Pimcore patches.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T19:17:14.167Z and has not been modified since then. The NVD entry is currently 8.0 HIGH.