High severityNVD Advisory· Published Apr 27, 2026· Updated May 5, 2026
CVE-2026-5394
CVE-2026-5394
Description
An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.
This issue affects pimcore: 12.3.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/pimcorePackagist | < 12.3.7 | 12.3.7 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-r2f4-ff2p-xc64ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-5394ghsaADVISORY
- fluidattacks.com/es/advisories/dragonsnvdWEB
- github.com/pimcore/pimcore/commit/6df625ff74015dc11f4bbe76170ce45bbd5dd61dghsaWEB
- github.com/pimcore/pimcore/pull/19108nvdWEB
- github.com/pimcore/pimcore/releases/tag/v12.3.7ghsaWEB
- github.com/pimcore/pimcore/security/advisories/GHSA-r2f4-ff2p-xc64ghsaWEB
News mentions
0No linked articles in our index yet.