CVE-2026-45162

Pimcore · Pimcore

Pimcore is vulnerable to insecure deserialization of untrusted data, which can be leveraged by an authenticated user with high privileges to achieve remote code execution.

Executive summary

An insecure deserialization vulnerability in Pimcore allows a high-privileged attacker to compromise the entire system, necessitating urgent patching.

Vulnerability

The application improperly deserializes untrusted data, which an authenticated attacker with high privileges can exploit to execute arbitrary code.

Business impact

Successful exploitation allows for complete control over the application server, potentially leading to full system compromise and total loss of confidentiality, integrity, and availability. Given the CVSS score of 8.0, the potential for catastrophic business impact is high.

Remediation

Immediate Action: Update the Pimcore installation to version 11.5.17, 12.3.7, or 2026.1.3 to mitigate the deserialization risk.

Proactive Monitoring: Inspect server logs for anomalous execution patterns or unexpected system calls that may indicate an attempt to exploit deserialization routines.

Compensating Controls: Ensure the application runs with the least privilege necessary to limit the potential reach of a successful code execution exploit.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Due to the severity of insecure deserialization, immediate patching is required. Organizations must treat this as a high-priority update to prevent potential full-system compromise by malicious actors.