CVE-2025-30166: Pimcore's Admin Classic Bundle allows HTML Injection

April 8, 2025

An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content.

References

github.com/advisories/GHSA-x82r-6j37-vrgg
github.com/pimcore/admin-ui-classic-bundle
github.com/pimcore/admin-ui-classic-bundle/commit/76b690d4f8fcd9c9d41766bc5238c2513242e60e
github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-x82r-6j37-vrgg
nvd.nist.gov/vuln/detail/CVE-2025-30166

Code Behaviors & Features

Detect and mitigate CVE-2025-30166 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →