CVE-2026-5362

MEDIUM

Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering

Title source: cna

Description

An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3.

References (2)

[Third Party Advisory] https://fluidattacks.com/es/advisories/mago

[Product] https://github.com/pimcore/pimcore/

Scores

CVSS v4 4.8

EPSS 0.0000

EPSS Percentile 0.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

pimcore/pimcore v12.3.3

Published Apr 27, 2026

Tracked Since Apr 28, 2026