CVE-2026-23493
- Source
- https://cve.org/CVERecord?id=CVE-2026-23493
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23493.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-23493
- Aliases
- Published
- 2026-01-15T16:38:23.923Z
- Modified
- 2026-01-22T05:49:34.724581Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
- Summary
- Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
- Details
-
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the httperrorlog file stores the $COOKIE and $SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
- Database specific
{ "cwe_ids": [ "CWE-532" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23493.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23493.json
- https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601
- https://github.com/pimcore/pimcore/pull/18918
- https://github.com/pimcore/pimcore/releases/tag/v11.5.14
- https://github.com/pimcore/pimcore/releases/tag/v12.3.1
- https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h
- https://nvd.nist.gov/vuln/detail/CVE-2026-23493
Affected packages
Git / github.com/pimcore/pimcore
Affected ranges
Affected versions
2.*
2.2.0
2.2.1
2.2.2
2.3.0
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.1.0
3.1.1
4.*
4.0.0
4.0.1
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.3.0
4.3.1
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
v10.*
v10.0.0
v10.0.0-BETA1
v10.0.0-BETA2
v10.0.0-BETA3
v10.0.0-BETA4
v10.0.1
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7
v10.0.8
v10.0.9
v10.1.0
v10.1.1
v10.1.2
v10.1.3
v10.1.4
v10.1.5
v10.2.0
v10.2.1
v10.2.10
v10.2.2
v10.2.3
v10.2.4
v10.2.5
v10.2.6
v10.2.7
v10.2.8
v10.2.9
v10.3.0
v10.3.1
v10.3.2
v10.3.3
v10.3.4
v10.3.5
v10.3.6
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.5.0
v10.5.1
v10.5.10
v10.5.11
v10.5.12
v10.5.13
v10.5.14
v10.5.15
v10.5.16
v10.5.17
v10.5.18
v10.5.19
v10.5.2
v10.5.20
v10.5.21
v10.5.22
v10.5.23
v10.5.24
v10.5.25
v10.5.3
v10.5.4
v10.5.5
v10.5.6
v10.5.7
v10.5.8
v10.5.9
v10.6.0
v10.6.1
v10.6.2
v10.6.3
v10.6.4
v10.6.5
v10.6.6
v10.6.7
v10.6.8
v10.6.9
v11.*
v11.0.0
v11.0.0-ALPHA1
v11.0.0-ALPHA2
v11.0.0-ALPHA3
v11.0.0-ALPHA4
v11.0.0-ALPHA5
v11.0.0-ALPHA6
v11.0.0-ALPHA7
v11.0.0-ALPHA8
v11.0.0-BETA1
v11.0.0-RC1
v11.0.0-RC2
v11.0.1
v11.0.10
v11.0.11
v11.0.12
v11.0.2
v11.0.3
v11.0.4
v11.0.5
v11.0.6
v11.0.7
v11.0.8
v11.0.9
v11.1.0
v11.1.0-RC1
v11.1.1
v11.1.2
v11.1.3
v11.1.4
v11.1.5
v11.1.6
v11.2.0
v11.2.1
v11.2.2
v11.2.3
v11.2.4
v11.2.5
v11.2.6
v11.2.7
v11.3.0
v11.3.0-RC1
v11.3.0-RC2
v11.3.1
v11.3.2
v11.3.3
v11.4.0
v11.4.0-RC1
v11.4.1
v11.4.2
v11.4.3
v11.4.4
v11.5.0
v11.5.0-RC1
v11.5.0-RC2
v11.5.1
v11.5.10
v11.5.11
v11.5.12
v11.5.13
v11.5.14
v11.5.2
v11.5.3
v11.5.4
v11.5.5
v11.5.6
v11.5.7
v11.5.8
v11.5.9
v12.*
v12.0.0
v12.0.0-RC1
v12.0.0-RC2
v12.0.1
v12.0.2
v12.0.3
v12.0.4
v12.1.0
v12.1.1
v12.1.2
v12.1.3
v12.1.4
v12.1.5
v12.2.0
v12.2.1
v12.2.2
v12.2.3
v12.2.4
v12.3.0
v5.*
v5.0.0
v5.0.0-RC
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0
v5.1.0-alpha
v5.1.1
v5.1.2
v5.1.3
v5.2.0
v5.2.3
v5.3.0
v5.3.1
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.8.0
v5.8.1
v5.8.2
v5.8.3
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.1.0
v6.1.1
v6.1.2
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.4.0
v6.4.1
v6.4.2
v6.5.0
v6.5.1
v6.5.2
v6.5.3
v6.6.0
v6.6.1
v6.6.10
v6.6.11
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.8.0
v6.8.1
v6.8.10
v6.8.11
v6.8.12
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.9.0
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6