PULSE
LIVE18signals / 24h
FEED
ransomincransom reclama a v-silicon.com · TW · Technologyransomincransom reclama a FAST.COM.PH · PH · Technologyransomincransom reclama a D.MAG New Material Technology Co., Ltd. Taiwan Giant · TW · Manufacturingransomincransom reclama a vedan corp · VN · Agriculture and Food Productionransomincransom reclama a reatile.co.za · ZA · Not Foundransomincransom reclama a V&P Nurseries · US · Agriculture and Food Productionransomqilin reclama a Powder River Heating & Air Conditioning · US · Consumer Servicesransomqilin reclama a Droguería Martorani · AR · Consumer Servicesransomthegentlemen reclama a Military Sealift Command · US · Transportation/Logisticsransomthegentlemen reclama a Advantage Home Health Care · US · Healthcareransomthegentlemen reclama a Sunway Scientific · TW · Manufacturingransomqilin reclama a Cafar · AR · Agriculture and Food Productionransominterlock reclama a Centre for Newcomers · CA · Public Sectorransominterlock reclama a Paragon Store Fixtures · US · Manufacturingransomincransom reclama a v-silicon.com · TW · Technologyransomincransom reclama a FAST.COM.PH · PH · Technologyransomincransom reclama a D.MAG New Material Technology Co., Ltd. Taiwan Giant · TW · Manufacturingransomincransom reclama a vedan corp · VN · Agriculture and Food Productionransomincransom reclama a reatile.co.za · ZA · Not Foundransomincransom reclama a V&P Nurseries · US · Agriculture and Food Productionransomqilin reclama a Powder River Heating & Air Conditioning · US · Consumer Servicesransomqilin reclama a Droguería Martorani · AR · Consumer Servicesransomthegentlemen reclama a Military Sealift Command · US · Transportation/Logisticsransomthegentlemen reclama a Advantage Home Health Care · US · Healthcareransomthegentlemen reclama a Sunway Scientific · TW · Manufacturingransomqilin reclama a Cafar · AR · Agriculture and Food Productionransominterlock reclama a Centre for Newcomers · CA · Public Sectorransominterlock reclama a Paragon Store Fixtures · US · Manufacturing
← All CVEs
CVE WatchJul 17, 2026

CVE-2026-45260

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, Pimcore's WebDAV asset endpoint exposes

CVSS

8.1

High

EPSS

KEV

Exploit Today

0-100

Published: Jul 17, 2026 · Last modified: Jul 17, 2026 · CWE-862

EPSS · 30d

Not enough EPSS history yet.

Technical description

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and models/Asset/WebDAV/Tree.php performs asset mutation and deletion through models/Asset.php before checking a current Pimcore user or the rename, delete, create, or publish permissions, allowing unauthorized asset deletion, moves, or overwrites. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7.

Official references
Related CVEs
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-277718.2 HIG
98.5%
30Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.10d
CVE-2023-361447.5 HIG
98.3%
30An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration.9d
CVE-2021-445958.8 HIG
97.3%
29Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges.9d
CVE-2020-253669.1 CRI
82.0%
25An issue in the component /cgi-bin/upload_firmware.cgi of D-Link DIR-823G REVA1 1.02B05 allows attackers to cause a denial of service (DoS) via unspecified vectors.9d
CVE-2020-220076.8 MED
80.9%
24OS Command Injection vulnerability in OKER G955V1 v1.03.02.20161128, allows physical attackers to interrupt the boot sequence and execute arbitrary commands with root privileges.13d
CVE-2026-405028.8 HIG
74.5%
22OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.3d