CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-5394

highcovered by 1 sourcefirst seen 2026-05-28
My name is Oscar Uribe, Security Researcher at Fluid Attacks. I am reaching out because we have identified a security vulnerability in Pimcore 12.3.3 that we would like to report to you so we can coordinate a responsible disclosure together. As part of our standard disclosure measures, we follow a timeline (outlined at https://fluidattacks.com/advisories/policy), which is aligned with ISO/IEC 29147:2018 and ISO/IEC 30111:2019. In short, the timeline works as follows: we ask for acknowledgment of the report within a few days of your first accessing it, and from there, we are happy to coordinate a joint disclosure date with you, typically within 90 days of the initial discovery. This gives your team reasonable time to assess, develop, and release a fix. We have reserved the CVE ID "CVE-2026-5394" for this issue, and the advisory will eventually be published at https://fluidattacks.com/advisories/dragons. We are committed to coordinating the timing of that publication with you. Please feel free to reach out if you have any questions about the report, the process, or the timeline. We are glad to work with you on this. Description An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. The vulnerable flow accepts compositeIndices from imported JSON, stores the values without strict validation, and later concatenates them directly into ALTER TABLE ... DROP INDEX and ALTER TABLE ... ADD INDEX statements executed through Doctrine DBAL. Although the original report focused on compositeIndices.index_key, independent code review shows that the strongest and most reliable injection point is compositeIndices.index_columns, because it is inserted verbatim inside the ADD INDEX (...) clause. This permits injection of additional ALTER TABLE subclauses against Pimcore object tables without relying on stacked queries. Vulnerability Root c

⚡ Watch CVE-2026-5394

Get an email if CVE-2026-5394 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-5394

CVE.org record

Embed the live status

CVE-2026-5394 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-5394 status](https://www.csirts.com/badge/CVE-2026-5394)](https://www.csirts.com/cve/CVE-2026-5394)