CVE-2026-5394 - Vulnerability Details - OpenCVE

An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Pimcore	Pimcore

No data.

No data.

No data.

References

Link	Providers
https://fluidattacks.com/es/advisories/dragons
https://github.com/pimcore/pimcore

History

Mon, 27 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.
Title		Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling
First Time appeared		Pimcore Pimcore pimcore
Weaknesses		CWE-89
CPEs		cpe:2.3:a:pimcore:pimcore:12.3.3::linux::::: cpe:2.3:a:pimcore:pimcore:12.3.3::macos::::: cpe:2.3:a:pimcore:pimcore:12.3.3::windows:::::
Vendors & Products		Pimcore Pimcore pimcore
References		https://fluidattacks.com/es/advisories/dragons https://github.com/pimcore/pimcore
Metrics		cvssV4_0 `{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published: 2026-04-27T19:15:04.496Z

Updated: 2026-04-27T19:15:04.496Z

Reserved: 2026-04-01T23:34:42.722Z

Link: CVE-2026-5394

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-04-27T20:16:28.450

Modified: 2026-04-27T20:21:52.070

Link: CVE-2026-5394

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5394", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2026-04-01T23:34:42.722Z", "datePublished": "2026-04-27T19:15:04.496Z", "dateUpdated": "2026-04-27T19:15:04.496Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "MacOS", "Linux"], "product": "pimcore", "vendor": "pimcore", "versions": [{"status": "affected", "version": "12.3.3"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pimcore:pimcore:12.3.3:*:linux:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Oscar Naveda"}, {"lang": "en", "type": "finder", "value": "Fluid Attacks' AI SAST Scanner"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.</p><p>This issue affects pimcore: 12.3.3.</p>"}], "value": "An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.\n\nThis issue affects pimcore: 12.3.3."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "CAPEC-7 Blind SQL Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-04-27T19:15:04.496Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/es/advisories/dragons"}, {"tags": ["product"], "url": "https://github.com/pimcore/pimcore"}], "source": {"discovery": "UNKNOWN"}, "title": "Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.\n\nThis issue affects pimcore: 12.3.3."}], "id": "CVE-2026-5394", "lastModified": "2026-04-27T20:21:52.070", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2026-04-27T20:16:28.450", "references": [{"source": "help@fluidattacks.com", "url": "https://fluidattacks.com/es/advisories/dragons"}, {"source": "help@fluidattacks.com", "url": "https://github.com/pimcore/pimcore"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "help@fluidattacks.com", "type": "Primary"}]}