Pimcore 12.3.3 RCE via DataObject class import (SQL Injection)
CVE-2026-5394 Published on April 27, 2026

Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling
An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.

NVD

Weakness Type

What is a SQL Injection Vulnerability?

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVE-2026-5394 has been classified to as a SQL Injection vulnerability or weakness.

Products Associated with CVE-2026-5394

Want to know whenever a new CVE is published for Pimcore? stack.watch will email you.

Pimcore

Affected Versions

pimcore Version 12.3.3 is affected by CVE-2026-5394

Pimcore 12.3.3 RCE via DataObject class import (SQL Injection)CVE-2026-5394 Published on April 27, 2026

Weakness Type

What is a SQL Injection Vulnerability?

Products Associated with CVE-2026-5394

Affected Versions

Pimcore 12.3.3 RCE via DataObject class import (SQL Injection)
CVE-2026-5394 Published on April 27, 2026