Pimcore Twig SecurityPolicy sandbox bypass v12.3.8
CVE-2026-11407 Published on June 17, 2026
Pimcore CMS 12.3.8 Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed
Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig SecurityPolicy. Attackers can supply malicious Twig templates through the DataObject ClassDefinition Layout\Text component to perform arbitrary file reads, execute arbitrary database queries, and potentially achieve remote code execution via PHP object gadget chains, with the pimcore_* function wildcard further broadening the bypass to all Pimcore Twig functions.
Vulnerability Analysis
CVE-2026-11407 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Products Associated with CVE-2026-11407
Want to know whenever a new CVE is published for Pimcore? stack.watch will email you.
Affected Versions
Pimcore GmbH Pimcore CMS/DXP:- Before and including 12.3.8 is affected.
- Version fffa7f6396329e88610db70a8652529bbc734892 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.