Vulnerability Database

322,904

Total vulnerabilities in the database

CVE-2023-28438

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually.

Published: Mar 22, 2023
Updated: Nov 16, 2025
CVE: CVE-2023-28438
GHSA: GHSA-vf7q-g2pv-jxvx
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.2
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
pimcore / pimcore	-	10.5.19

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo