Main Vulnerability Database Vulnerabilities #VU134519

Deserialization of Untrusted Data in Pimcore - CVE-2026-45162

Published: June 15, 2026

Vulnerability identifier: #VU134519

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-45162

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Pimcore

Affected software:
Pimcore

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in multiple unserialize() call sites in Pimcore when processing serialized data from database columns or filesystem files. A remote privileged user can inject a serialized PHP gadget chain into a controllable data source to execute arbitrary code.

Exploitation requires control over a referenced database or filesystem data source through a separate write primitive, such as SQL injection or a file write vulnerability.

How to mitigate CVE-2026-45162

Install security update from vendor's website.

Sources

https://github.com/pimcore/pimcore/security/advisories/GHSA-36fc-7wjg-mfvj

Deserialization of Untrusted Data in Pimcore - CVE-2026-45162

Detailed vulnerability description

How to mitigate CVE-2026-45162

Sources

Please verify you're human