PatchSiren

Pimcore GmbH CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Pimcore GmbH CVE published 2026-06-17

CVE-2026-11407

CVE-2026-11407 is a high-severity vulnerability in Pimcore CMS/DXP version 12.3.8. It allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig SecurityPolicy. Attackers can supply malicious Twig templates through the DataObject ClassDefinition Layout/Text component to per [truncated]