Description
An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered.

This issue affects pimcore: v12.3.3.
Published: 2026-04-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (stored) leading to script execution
Action: Patch
AI Analysis

Impact

An authenticated attacker that can edit document content is able to embed arbitrary HTML or JavaScript into a document’s editable embed section. When a user later views the published page, the injected code runs in the browser and executes with the page’s privileges, potentially enabling data theft, session hijacking or other client‑side attacks.

Affected Systems

Pimcore Platform version 12.3.3 is affected. The vulnerability exists on all operating systems supported by that release – Linux, macOS, and Windows – as indicated by the CPE entries for the platform.

Risk and Exploitability

The CVSS score of 4.8 marks the issue as moderate severity; however, because the attack requires authenticated access with editing rights, the likelihood of exploitation depends on insider threat or compromised credentials. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits yet. Even so, an internal actor could use the flaw to inject malicious scripts that execute for every visitor of the affected page.

Generated by OpenCVE AI on April 28, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pimcore to a patched version that removes the stored XSS vulnerability.
  • Restrict editing permissions for document content to users with a verified security policy and audit their activity.
  • Sanitize or strip JavaScript and other disallowed tags from embed content before rendering as a temporary workaround.

Generated by OpenCVE AI on April 28, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3.
Title Pimcore Platform v12.3.3 - Stored XSS in Document Editable Embed rendering
First Time appeared Pimcore
Pimcore pimcore
Weaknesses CWE-79
CPEs cpe:2.3:a:pimcore:pimcore:v12.3.3:*:linux:*:*:*:*:*
cpe:2.3:a:pimcore:pimcore:v12.3.3:*:macos:*:*:*:*:*
cpe:2.3:a:pimcore:pimcore:v12.3.3:*:windows:*:*:*:*:*
Vendors & Products Pimcore
Pimcore pimcore
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Pimcore Pimcore
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-04-27T20:16:01.154Z

Reserved: 2026-04-01T17:29:08.324Z

Link: CVE-2026-5362

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-27T21:16:42.817

Modified: 2026-04-27T21:16:42.817

Link: CVE-2026-5362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:00:15Z

Weaknesses