The Pimcore Studio API class definition creation endpoint has a permission issue. Prior to versions 2025.4.6 and 2026.1.6, the endpoint is guarded by object permission instead of class permission. This allows a standard editor-level user to create class definitions without admin privileges, potentially leading to unauthorized database table and PHP class file creation. The vulnerability exists due to inco [truncated]
CVE-2026-55207 is a high-severity vulnerability in Pimcore, an Open Source Data & Experience Management Platform. An unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account by sending a password reset request with an attacker-controlled resetPasswordUrl. The server generates a real cryptographic recovery token, appends it to the supplied URL, and emails the link t [truncated]
A stored cross-site scripting (XSS) vulnerability in Pimcore v12.3.3 allows authenticated attackers with document editing permissions to inject malicious HTML/JavaScript through the Document embed editable feature. The payload executes when published pages are rendered, potentially compromising session tokens or performing actions on behalf of victims. The CVSS 4.0 score of 4.8 (Medium) reflects network a [truncated]