CVE-2026-45162: Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Rest…

GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, enabling object injection if an attacker can control…

8.0CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-45162
Vendor	composer
Affected Product	pimcore/pimcore
Vulnerability Type	Vulnerability
CVSS Score	8.0 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

GM-374

Summary

Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, enabling object injection if an attacker can control the serialized data source.

Affected Component

• Package: pimcore/pimcore and pimcore/admin-ui-classic-bundle

• Files: - lib/Tool/Authentication.php (line 82) — session token deserialization - models/Site/Dao.php (line 68) — site domains from database - models/DataObject/ClassDefinition/CustomLayout/Dao.php (line 69) — layout definitions from database - models/Tool/TmpStore/Dao.php (line 64) — temporary store data from database - models/Asset/WebDAV/Service.php (line 36) — delete log from filesystem - `admin-ui-classic-bundle/src/Helper/Dash

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-45162 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →