Pimcore CMS/DXP CVE-2026-11407
HIGH
GHSA-7p36-fq2r-4h7r
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Admin-only Twig injection over the network with no user interaction; full read/write/RCE potential on the same Pimcore instance justifies PR:H, AC:L, and C/I/A:H with scope unchanged.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig SecurityPolicy. Attackers can supply malicious Twig templates through the DataObject ClassDefinition Layout\Text component to perform arbitrary file reads, execute arbitrary database queries, and potentially achieve remote code execution via PHP object gadget chains, with the pimcore_* function wildcard further broadening the bypass to all Pimcore Twig functions.
AnalysisAI
Twig sandbox bypass in Pimcore CMS/DXP 12.3.8 lets authenticated administrators escape the template sandbox by abusing empty checkMethodAllowed() and checkPropertyAllowed() implementations, enabling arbitrary method calls on internal PHP objects such as the DAO layer, Doctrine DBAL Connection, and PDO. Exploitation goes through a malicious Twig template injected via the DataObject ClassDefinition Layout\Text component and can lead to arbitrary file reads, arbitrary SQL execution, and potential remote code execution via PHP object gadget chains; the pimcore_* function wildcard broadens the bypass to every Pimcore Twig function. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold an authenticated administrative Pimcore account with permission to create or modify a DataObject ClassDefinition and inject Twig markup into a Layout\Text component; the target instance must be running a vulnerable Pimcore CMS/DXP build (12.3.8 confirmed) where the custom Twig SecurityPolicy still has empty checkMethodAllowed() and checkPropertyAllowed() implementations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H) at 8.6 reflects that exploitation is network-reachable and low-complexity but requires high privileges - specifically an authenticated administrative user able to edit DataObject ClassDefinitions, which is consistent with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Pimcore administrator (or an attacker who has hijacked an admin session) edits a DataObject ClassDefinition and injects a malicious Twig snippet into a Layout\Text component that traverses an object graph into \Pimcore\Model\Dao\AbstractDao or Doctrine\DBAL\Connection to run arbitrary SQL, read arbitrary files, or pivot through Symfony\Component\Process\Process / a PHP object gadget chain to achieve RCE on the web server. No public exploit identified at time of analysis, but the VulnCheck advisory describes the bypass primitive in enough detail that PoC development by a competent attacker is straightforward. |
| Remediation | Patch available per vendor advisory: upgrade Pimcore CMS/DXP to the release containing pimcore/pimcore PR #19193 / commit fffa7f6396329e88610db70a8652529bbc734892, which implements a BLOCKED_CLASSES deny-list (Pimcore AbstractDao, Doctrine DBAL Connection, PDO, PDOStatement, Symfony ContainerInterface, Symfony Process) inside checkMethodAllowed() and checkPropertyAllowed(); a released patched version number is not stated in the input, so confirm the exact tagged release via the VulnCheck advisory (https://www.vulncheck.com/advisories/pimcore-cms-twig-sandbox-bypass-via-securitypolicy-checkmethodallowed) and the GitHub PR. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Pimcore DataObject ClassDefinition Layout\Text components for suspicious or unauthorized Twig templates, particularly those using the pimcore_* function wildcard. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side template injection in JTL Shop 5.2.0 through 5.7.1 allows remote unauthenticated attackers to inject Smarty
{` placeholder, the third-party `com.Expand()` call in `internal/markup/markup.go` panics due to a negative slice index,
Share
External POC / Exploit Code
Leaving vuln.today