CVE-2026-45162 is a high-severity insecure deserialization vulnerability in pimcore/pimcore (composer), affecting versions <= 12.3.6. It is fixed in 12.3.7.
GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowedclasses restriction, enabling object injection if an attacker can control the serialized data source. Affected Component Package: pimcore/pimcore and pimcore/admin-ui-classic-bundle Files: lib/Tool/Authentication.php (line 82), session token deserialization models/Site/Dao.php (line 68), site domains from database models/DataObject/ClassDefinition/CustomLayout/Dao.php (line 69), layout definitions from database models/Tool/TmpStore/Dao.php (line 64), temporary store data from database models/Asset/WebDAV/Service.php (line 36), delete log from filesystem admin-ui-classic-bundle/src/Helper/Dashboard.php (line 64), dashboard config from filesystem Description Six locations in Pimcore core call unserialize() directly (bypassing Tool\Serialize) on data sourced from database columns or filesystem files without passing the allowedclasses parameter. This means any class available in the autoloader will be instantiated during deserialization. If an attacker can write to the data source (e.g., via SQL injection targeting the tmpstore, sites, or customlayouts tables, or via a file write vulnerability targeting the WebDAV delete log), they can inject serialized PHP gadget chains that execute arbitrary code when the data is deserialized. This is related to but distinct from the Tool\Serialize::unserialize() issue, these calls bypass the wrapper entirely. Impact PHP object injection leading to Remote Code Execution when chained with a data source write vulnerability. Pimcore's dependency tree (Guzzle, Symfony, Monolog, Doctrine) provides numerous known gadget chains. Proof of Concept Identify a writable data source (e.g., tmpstore table via SQL injection, or webdav-delete.dat via file write) Write a serialized PHP gadget chain (e.g., Monolog BufferHandler chain from phpggc) Trigger the deserialization (e.g., access a page that reads TmpStore, or trigger a WebDAV operation) The gadget chain executes with web server privileges Suggested Fix Add allowedclasses parameter to all unserialize() calls. Where no objects are needed, use ['allowed_classes' => false]. Consider migrating to JSON serialization for data that doesn't require object preservation. Resources CWE-502: Deserialization of Untrusted Data OWASP Deserialization Cheat Sheet phpggc: PHP Generic Gadget Chains
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
CVE-2026-45162 has a CVSS score of 8.0 (High). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (12.3.7). Upgrading removes the vulnerable code path.
composer
pimcore/pimcore (<= 12.3.6)pimcore/pimcore → 12.3.7 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-45162 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-45162 is reachable in your applications. Get a demo
Upgrade pimcore/pimcore to 12.3.7 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-45162 is a high-severity insecure deserialization vulnerability in pimcore/pimcore (composer), affecting versions <= 12.3.6. It is fixed in 12.3.7. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
CVE-2026-45162 has a CVSS score of 8.0 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
pimcore/pimcore (composer) versions <= 12.3.6 is affected.
Yes. CVE-2026-45162 is fixed in 12.3.7. Upgrade to this version or later.
Whether CVE-2026-45162 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade pimcore/pimcore to 12.3.7 or later.