Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-11407
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-17 Jun, 2026 | 20:07
Updated At-18 Jun, 2026 | 12:55
Rejected At-
▼CVE Numbering Authority (CNA)
Pimcore CMS 12.3.8 Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed

Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig SecurityPolicy. Attackers can supply malicious Twig templates through the DataObject ClassDefinition Layout\Text component to perform arbitrary file reads, execute arbitrary database queries, and potentially achieve remote code execution via PHP object gadget chains, with the pimcore_* function wildcard further broadening the bypass to all Pimcore Twig functions.

Affected Products
Vendor
Pimcore GmbH
Product
Pimcore CMS/DXP
Default Status
unaffected
Versions
Affected
  • From 0 through 12.3.8 (semver)
Unaffected
  • fffa7f6396329e88610db70a8652529bbc734892 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-1336CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
Type: CWE
CWE ID: CWE-1336
Description: CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
Metrics
VersionBase scoreBase severityVector
4.08.6HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Version: 4.0
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Saidakbarxon Maxsudxonov
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/pimcore/pimcore/pull/19193
issue-tracking
https://github.com/pimcore/pimcore/commit/fffa7f6396329e88610db70a8652529bbc734892
patch
https://www.vulncheck.com/advisories/pimcore-cms-twig-sandbox-bypass-via-securitypolicy-checkmethodallowed
third-party-advisory
Hyperlink: https://github.com/pimcore/pimcore/pull/19193
Resource:
issue-tracking
Hyperlink: https://github.com/pimcore/pimcore/commit/fffa7f6396329e88610db70a8652529bbc734892
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/pimcore-cms-twig-sandbox-bypass-via-securitypolicy-checkmethodallowed
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found