CVE-2026-5394

Pimcore Platform v12.3.3 - SQL Injection in DataObject composite index handling

Description

An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.

INFO

Published Date :

2026-04-27T19:15:04.496Z

Last Modified :

2026-04-28T14:36:35.902Z

Source :

Fluid Attacks

AFFECTED PRODUCTS

The following products are affected by CVE-2026-5394 vulnerability.

Vendors	Products
Pimcore	Pimcore

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-5394.

URL	Resource
https://fluidattacks.com/es/advisories/dragons
https://github.com/pimcore/pimcore

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability