CVE-2026-5362: Pimcore has an authenticated Cross-site Scripting issue

April 27, 2026 (updated May 6, 2026)

An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered.

This issue affects pimcore: v12.3.3.

References

fluidattacks.com/es/advisories/mago
github.com/advisories/GHSA-7gxw-q9j5-mrj4
github.com/pimcore/pimcore
nvd.nist.gov/vuln/detail/CVE-2026-5362

Code Behaviors & Features

Detect and mitigate CVE-2026-5362 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →