CVE-2026-11407
Pimcore CMS 12.3.8 Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed
Description
Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig SecurityPolicy. Attackers can supply malicious Twig templates through the DataObject ClassDefinition Layout\Text component to perform arbitrary file reads, execute arbitrary database queries, and potentially achieve remote code execution via PHP object gadget chains, with the pimcore_* function wildcard further broadening the bypass to all Pimcore Twig functions.
INFO
Published Date :
June 17, 2026, 8:07 p.m.
Last Modified :
June 17, 2026, 8:07 p.m.
Remotely Exploit :
Yes !
Source :
VulnCheck
Affected Products
The following products are affected by CVE-2026-11407
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 4.0 | HIGH | 83251b91-4cc7-4094-a5c7-464a1b83ea10 |
Solution
- Update Pimcore CMS/DXP to a patched version.
- Review and restrict custom Twig template usage.
- Ensure secure configuration of SecurityPolicy.
- Limit administrative access and privileges.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-11407 vulnerability anywhere in the article.