CVE-2026-23493

HIGH

Pimcore <12.3.1-11.5.14 - Info Disclosure

Title source: llm

Description

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.

References (5)

[Vendor Advisory] https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h

[Issue Tracking] https://github.com/pimcore/pimcore/pull/18918

[Patch] https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601

View Patch ZIP pw:eip

[Release Notes] https://github.com/pimcore/pimcore/releases/tag/v11.5.14

[Release Notes] https://github.com/pimcore/pimcore/releases/tag/v12.3.1

Scores

CVSS v3 8.6

EPSS 0.0000

EPSS Percentile 0.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (2)

pimcore/pimcore < 11.5.14

pimcore/pimcore 12.0.0-RC1 - 12.3.1Packagist

Published Jan 15, 2026

Tracked Since Feb 18, 2026