Skip to main content

Pimcore CVE-2026-45162

HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-27 https://github.com/pimcore/pimcore GHSA-36fc-7wjg-mfvj
8.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.0 HIGH
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 27, 2026 - 20:31 vuln.today
Analysis Generated
May 27, 2026 - 20:31 vuln.today

DescriptionGitHub Advisory

GM-374

Summary

Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, enabling object injection if an attacker can control the serialized data source.

Affected Component

  • Package: pimcore/pimcore and pimcore/admin-ui-classic-bundle
  • Files:
  • lib/Tool/Authentication.php (line 82) - session token deserialization
  • models/Site/Dao.php (line 68) - site domains from database
  • models/DataObject/ClassDefinition/CustomLayout/Dao.php (line 69) - layout definitions from database
  • models/Tool/TmpStore/Dao.php (line 64) - temporary store data from database
  • models/Asset/WebDAV/Service.php (line 36) - delete log from filesystem
  • admin-ui-classic-bundle/src/Helper/Dashboard.php (line 64) - dashboard config from filesystem

Description

Six locations in Pimcore core call unserialize() directly (bypassing Tool\Serialize) on data sourced from database columns or filesystem files without passing the allowed_classes parameter. This means any class available in the autoloader will be instantiated during deserialization.

If an attacker can write to the data source (e.g., via SQL injection targeting the tmp_store, sites, or custom_layouts tables, or via a file write vulnerability targeting the WebDAV delete log), they can inject serialized PHP gadget chains that execute arbitrary code when the data is deserialized.

This is related to but distinct from the Tool\Serialize::unserialize() issue - these calls bypass the wrapper entirely.

Impact

PHP object injection leading to Remote Code Execution when chained with a data source write vulnerability. Pimcore's dependency tree (Guzzle, Symfony, Monolog, Doctrine) provides numerous known gadget chains.

Proof of Concept

  1. Identify a writable data source (e.g., tmp_store table via SQL injection, or webdav-delete.dat via file write)
  2. Write a serialized PHP gadget chain (e.g., Monolog BufferHandler chain from phpggc)
  3. Trigger the deserialization (e.g., access a page that reads TmpStore, or trigger a WebDAV operation)
  4. The gadget chain executes with web server privileges

Suggested Fix

Add allowed_classes parameter to all unserialize() calls. Where no objects are needed, use ['allowed_classes' => false]. Consider migrating to JSON serialization for data that doesn't require object preservation.

php
// Example fix for Site/Dao.php:
$siteDomains = unserialize($site['domains'], ['allowed_classes' => false]);

// Example fix for TmpStore/Dao.php:
$item['data'] = unserialize($item['data'], ['allowed_classes' => false]);

Resources

  • CWE-502: Deserialization of Untrusted Data
  • OWASP Deserialization Cheat Sheet
  • phpggc: PHP Generic Gadget Chains

AnalysisAI

PHP object injection in Pimcore (packages pimcore/pimcore and admin-ui-classic-bundle) up to and including version 12.3.6 arises from six code paths calling unserialize() without the allowed_classes restriction on values read from database columns and filesystem files. An attacker who can already write to one of those sources - for example through SQL injection into the tmp_store, sites, or custom_layouts tables, or a file write to the WebDAV delete log - can plant a serialized PHP gadget chain that executes arbitrary code with web-server privileges once the data is deserialized. No public exploit identified at time of analysis (the vendor advisory documents only a conceptual PoC procedure), the CVE is not in CISA KEV, and EPSS is not provided; the issue is fixed in 12.3.7 and rated CVSS 8.0, with the High attack-complexity reflecting its dependence on a separate write primitive and a working gadget chain.

Technical ContextAI

The root cause is CWE-502 (Deserialization of Untrusted Data). PHP's unserialize() reconstructs arbitrary objects from a serialized string, and when called without the allowed_classes option it will instantiate any class reachable through the autoloader, invoking magic methods (__wakeup, __destruct, __toString) during reconstruction. Chained together, these calls form 'gadget chains' that can reach dangerous sinks. The affected product is the Composer package pkg:composer/pimcore_pimcore (and the admin-ui-classic-bundle), a PHP/Symfony-based content and data management platform. Six call sites bypass Pimcore's own Tool\Serialize wrapper and call raw unserialize() directly: lib/Tool/Authentication.php (session token), models/Site/Dao.php (site domains from DB), models/DataObject/ClassDefinition/CustomLayout/Dao.php (layout definitions from DB), models/Tool/TmpStore/Dao.php (temp store from DB), models/Asset/WebDAV/Service.php (delete log from disk), and admin-ui-classic-bundle/src/Helper/Dashboard.php (dashboard config from disk). Because Pimcore ships Guzzle, Symfony, Monolog, and Doctrine, multiple publicly documented gadget chains (e.g., the Monolog BufferHandler chain available in phpggc) are present in the dependency tree, turning object injection into remote code execution. The vendor fix adds an allowed_classes parameter to Tool\Serialize::unserialize() and passes false (or a narrow allowlist such as [Asset::class] for the WebDAV log) at each site.

RemediationAI

Upgrade to Pimcore 12.3.7, which is the vendor-released patched version per the package data and release tag (https://github.com/pimcore/pimcore/releases/tag/v12.3.7); the underlying fix adds the allowed_classes parameter to every affected unserialize() call (allowed_classes => false where no objects are needed, or a narrow allowlist such as [Asset::class] for the WebDAV delete log) and is implemented in PR https://github.com/pimcore/pimcore/pull/19119 and commit https://github.com/pimcore/pimcore/commit/4788bf3a3a7f2f760a8fe61e522565941e154e1e. If you run 11.x and cannot immediately move to 12.3.7, confirm an equivalent backport with the vendor before relying on an in-place patch. Because exploitation requires the attacker to first control the serialized data source, the most effective compensating controls target that prerequisite: eliminate SQL injection paths into the sites, custom_layouts, and tmp_store tables (parameterized queries, least-privilege database accounts so the web user cannot arbitrarily UPDATE these tables) and protect the WebDAV delete log file and dashboard config from untrusted writes by tightening filesystem permissions and restricting WebDAV access to authenticated, trusted users - accepting that locking down WebDAV may disrupt asset-management workflows that depend on it. As a defense for the affected sink itself, you can manually apply the allowed_classes => false change at the six call sites listed in the advisory; the trade-off is that any legitimate object-typed data in those columns (notably the custom layout definitions, which the official fix rebuilds from an array rather than blanket-blocking) may fail to load, so prefer the official patch over an ad-hoc edit.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-45162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy