CVE-2026-23494

MEDIUM EPSS 23.6%

Published Jan 15, 20265mo ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published Jan 15, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14.

CVSS Details

Base Score

6.5

Exploitability

2.8

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

23.6% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-284

Affected Products 2

Vendor	Product	Version	Range
pimcore	pimcore	*	<11.5.14
pimcore	pimcore	*	≥12.0.0 – <12.3.1

References 4

github.com https://github.com/pimcore/pimcore/pull/18893

Issue Tracking
github.com https://github.com/pimcore/pimcore/releases/tag/v11.5.14

Release Notes
github.com https://github.com/pimcore/pimcore/releases/tag/v12.3.1

Release Notes
github.com https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.