CVE-2026-23493

Description

### Summary The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. ### Details It’s better to remove both lines, as this information makes little sense in this context anyway. https://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L92 https://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L93 ### PoC In the Pimcore backend, navigate to "Search Engine Optimization" and click on "HTTP Errors." Double-click on an entry to view its details. Here, you may find sensitive data exposed. ### Impact Pimcore backend users can access sensitive environment variables, potentially exposing critical information.

How to fix CVE-2026-23493

To remediate CVE-2026-23493, upgrade the affected package to a fixed version below.

• —upgrade to 12.3.1 or later

Is CVE-2026-23493 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 12.0.0-RC1, < 12.3.1

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-23493
• PATCHgithub.com/pimcore/pimcore
• WEBgithub.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601
• WEBgithub.com/pimcore/pimcore/pull/18918
• WEB