HIGH8.8CVE-2026-44741Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter from 0, < 2.3.6
from 0, < 1.2.3
>= 1.0.0, < 1.3.2
HIGH8.4Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls
from 0, < 1.2.2
HIGH8.1Pimcore Host Header Injection in user invitation link
from 0, < 1.3.4
MEDIUM6.5Pimcore Admin Classic Bundle permissions are not getting checked when working with tags
from 0, < 1.3.3
MEDIUM6.3Pimcore vulnerable to disclosure of system and database information behind /admin firewall
from 0, < 1.5.2
MEDIUM6.1Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews
from 0, < 1.2.0
MEDIUM6.1Pimcore admin UI vulnerable to Cross-site Scripting in 2 factor authentication setup page
from 0, < 1.0.3
MEDIUM5.4pimcore/admin-ui-classic-bundle Cross-site Scripting vulnerability in Translations
from 0, < 1.1.2
MEDIUM5.3pimcore/admin-ui-classic-bundle Full Path Disclosure via re-export document
from 0, < 1.2.1
MEDIUM4.3Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing
>= 2.0.0-RC1, < 2.2.3
MEDIUM4.3pimcore/admin-ui-classic-bundle Unverified Password Change
from 0, < 1.2.0-RC1
—Pimcore's Admin Classic Bundle allows HTML Injection
from 0, < 1.7.6
—Pimcore Admin Classic Bundle allows user enumeration
from 0, < 1.7.4