{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5394", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2026-04-01T23:34:42.722Z", "datePublished": "2026-04-27T19:15:04.496Z", "dateUpdated": "2026-05-05T17:17:45.826Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "MacOS", "Linux"], "product": "pimcore", "vendor": "pimcore", "versions": [{"status": "affected", "version": "12.3.3"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:linux:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Oscar Naveda"}, {"lang": "en", "type": "finder", "value": "Fluid Attacks' AI SAST Scanner"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.</p><p>This issue affects pimcore: 12.3.3.</p>"}], "value": "An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.\n\nThis issue affects pimcore: 12.3.3."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "CAPEC-7 Blind SQL Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-05-05T17:17:45.826Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/es/advisories/dragons"}, {"tags": ["product"], "url": "https://github.com/pimcore/pimcore"}, {"tags": ["patch"], "url": "https://github.com/pimcore/pimcore/pull/19108"}], "source": {"discovery": "UNKNOWN"}, "title": "Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T13:21:06.925647Z", "id": "CVE-2026-5394", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:36:35.902Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5394", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T13:21:06.925647Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:21:13.334Z"}}], "cna": {"title": "Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Oscar Naveda"}, {"lang": "en", "type": "finder", "value": "Fluid Attacks' AI SAST Scanner"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "CAPEC-7 Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "pimcore", "product": "pimcore", "versions": [{"status": "affected", "version": "12.3.3"}], "platforms": ["Windows", "MacOS", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/es/advisories/dragons", "tags": ["third-party-advisory"]}, {"url": "https://github.com/pimcore/pimcore", "tags": ["product"]}, {"url": "https://github.com/pimcore/pimcore/pull/19108", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.\n\nThis issue affects pimcore: 12.3.3.", "supportingMedia": [{"type": "text/html", "value": "<p>An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.</p><p>This issue affects pimcore: 12.3.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:linux:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-05-05T17:17:45.826Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5394", "state": "PUBLISHED", "dateUpdated": "2026-05-05T17:17:45.826Z", "dateReserved": "2026-04-01T23:34:42.722Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2026-04-27T19:15:04.496Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.\n\nThis issue affects pimcore: 12.3.3."}], "id": "CVE-2026-5394", "lastModified": "2026-05-05T18:16:03.470", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2026-04-27T20:16:28.450", "references": [{"source": "help@fluidattacks.com", "url": "https://fluidattacks.com/es/advisories/dragons"}, {"source": "help@fluidattacks.com", "url": "https://github.com/pimcore/pimcore"}, {"source": "help@fluidattacks.com", "url": "https://github.com/pimcore/pimcore/pull/19108"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "help@fluidattacks.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "12.3.3"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "pimcore", "source": "cna", "vendor": "pimcore"}, "product": "pimcore", "vendor": "pimcore"}], "analysis": {"en": {"generated_at": "2026-04-28T12:54:41.294173+00:00", "value": {"mitigation_remediation": ["Upgrade Pimcore to a version that includes the fix for the SQL injection in DataObject composite index handling", "Limit the use of administrative credentials and enforce least privilege so that only trusted users can import or modify DataObject class definitions", "Monitor application logs for abnormal DataObject class definition imports or SQL error messages that may indicate injection attempts"], "summary": {"action": "Immediate Patch", "impact": "SQL Injection enabling unauthorized backend SQL execution"}, "threat_synthesis": {"affected_systems": "Pimcore Platform version 12.3.3 is affected. The issue applies across all operating systems supported by this release, including Linux, macOS, and Windows environments that run this version.", "description_and_impact": "An authenticated administrator who can import or save DataObject class definitions may embed malicious composite index metadata, which the Pimcore backend accepts and executes as SQL. This flaw can allow the attacker to manipulate database queries and access, modify, or delete data without proper authorization. The vulnerability is a classic SQL injection, identified as CWE-89, and can potentially compromise data confidentiality and integrity.", "risk_and_exploitability": "The CVSS score of 7.0 indicates a high severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack requires an authenticated administrator with the ability to modify DataObject classes, so the threat vector is internal. Once compromised, the attacker can execute arbitrary SQL statements against the backend database, posing a significant risk to the integrity and confidentiality of the stored data."}}}}, "created": "2026-04-28T00:30:15.266448+00:00", "updated": "2026-04-28T13:00:15.246853+00:00", "vendors": ["pimcore", "pimcore$PRODUCT$pimcore"]}