{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5362", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2026-04-01T17:29:08.324Z", "datePublished": "2026-04-27T20:16:01.154Z", "dateUpdated": "2026-04-28T14:36:06.112Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "MacOS", "Linux"], "product": "pimcore", "vendor": "pimcore", "versions": [{"status": "affected", "version": "v12.3.3"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:linux:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Oscar Naveda"}, {"lang": "en", "type": "finder", "value": "Fluid Attacks' AI SAST Scanner"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document <code>embed</code> editable and cause script execution when the published page is rendered.</p><p>This issue affects pimcore: v12.3.3.</p>"}], "value": "An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered.\n\nThis issue affects pimcore: v12.3.3."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 4.8, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-04-27T20:16:01.154Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/es/advisories/mago"}, {"tags": ["product"], "url": "https://github.com/pimcore/pimcore/"}], "source": {"discovery": "UNKNOWN"}, "title": "Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T13:33:41.603332Z", "id": "CVE-2026-5362", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:36:06.112Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5362", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2026-04-01T17:29:08.324Z", "datePublished": "2026-04-27T20:16:01.154Z", "dateUpdated": "2026-04-28T14:36:06.112Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "MacOS", "Linux"], "product": "pimcore", "vendor": "pimcore", "versions": [{"status": "affected", "version": "v12.3.3"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pimcore:pimcore:v12.3.3:*:linux:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Oscar Naveda"}, {"lang": "en", "type": "finder", "value": "Fluid Attacks' AI SAST Scanner"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document <code>embed</code> editable and cause script execution when the published page is rendered.</p><p>This issue affects pimcore: v12.3.3.</p>"}], "value": "An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered.\n\nThis issue affects pimcore: v12.3.3."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 4.8, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-04-27T20:16:01.154Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/es/advisories/mago"}, {"tags": ["product"], "url": "https://github.com/pimcore/pimcore/"}], "source": {"discovery": "UNKNOWN"}, "title": "Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5362", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T13:33:41.603332Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:33:45.556Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered.\n\nThis issue affects pimcore: v12.3.3."}], "id": "CVE-2026-5362", "lastModified": "2026-04-28T20:11:56.713", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2026-04-27T21:16:42.817", "references": [{"source": "help@fluidattacks.com", "url": "https://fluidattacks.com/es/advisories/mago"}, {"source": "help@fluidattacks.com", "url": "https://github.com/pimcore/pimcore/"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "help@fluidattacks.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "linux"], "status": "affected", "versions": {"scheme": "generic", "value": "v12.3.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pimcore", "source": "cna", "vendor": "pimcore"}, "product": "pimcore", "vendor": "pimcore"}], "analysis": {"en": {"generated_at": "2026-04-28T12:51:54.946783+00:00", "value": {"mitigation_remediation": ["Upgrade Pimcore to a patched version that removes the stored XSS vulnerability.", "Restrict editing permissions for document content to users with a verified security policy and audit their activity.", "Sanitize or strip JavaScript and other disallowed tags from embed content before rendering as a temporary workaround."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting (stored) leading to script execution"}, "threat_synthesis": {"affected_systems": "Pimcore Platform version 12.3.3 is affected. The vulnerability exists on all operating systems supported by that release \u2013 Linux, macOS, and Windows \u2013 as indicated by the CPE entries for the platform.", "description_and_impact": "An authenticated attacker that can edit document content is able to embed arbitrary HTML or JavaScript into a document\u2019s editable embed section. When a user later views the published page, the injected code runs in the browser and executes with the page\u2019s privileges, potentially enabling data theft, session hijacking or other client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 4.8 marks the issue as moderate severity; however, because the attack requires authenticated access with editing rights, the likelihood of exploitation depends on insider threat or compromised credentials. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits yet. Even so, an internal actor could use the flaw to inject malicious scripts that execute for every visitor of the affected page."}}}}, "created": "2026-04-28T04:15:15.759785+00:00", "updated": "2026-04-28T13:00:15.235394+00:00", "vendors": ["pimcore", "pimcore$PRODUCT$pimcore"]}