CVE-2026-5394 | THREATINT

Description

An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.

PUBLISHED Reserved 2026-04-01 | Published 2026-04-27 | Updated 2026-04-28 | Assigner Fluid Attacks

HIGH: 7.0CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

12.3.3

affected

Credits

Oscar Naveda finder

Fluid Attacks' AI SAST Scanner finder

References

fluidattacks.com/es/advisories/dragons third-party-advisory

github.com/pimcore/pimcore product

cve.org (CVE-2026-5394)

nvd.nist.gov (CVE-2026-5394)

Download JSON