Pimcore

v12.3.7 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 15d Data Warehouses & Analytics

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

cdp cms cms-framework customer-data-platform dam data-management

+13 more

digital-platform ecommerce ecommerce-platform experience-manager master-data-management mdm online-shop pim pimcore product-information-management product-management shop wcms

Affected surfaces

auth rbac

Summary

AI summary

Harden unserializer and add permission checks for view access in Word Export TranslationController.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Improve Composite Index in ClassDefinition security vulnerability fixed Improve Composite Index in ClassDefinition security vulnerability fixed Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Security	Medium	Add permission check for view access in Word Export TranslationController security vulnerability fixed Add permission check for view access in Word Export TranslationController security vulnerability fixed Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Security	Medium	Harden unserializer and refine allowed classes security vulnerability fixed Harden unserializer and refine allowed classes security vulnerability fixed Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Security	Medium	Enhance Authorization in WebDAV MOVE via unchecked asset move handling security vulnerability fixed Enhance Authorization in WebDAV MOVE via unchecked asset move handling security vulnerability fixed Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Feature	Medium	Prefer storage-reported MIME type after asset write (fallback to stream sniffing) Prefer storage-reported MIME type after asset write (fallback to stream sniffing) Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Bugfix
Bugfix	Medium	Decouple InstallerKernel from MicroKernelTrait private API bug fixed Decouple InstallerKernel from MicroKernelTrait private API bug fixed Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Improve memory usage in asset custom settings migration bug fixed Improve memory usage in asset custom settings migration bug fixed Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Error message "Cannot traverse an already closed generator" when moving folder with assets fixed Error message "Cannot traverse an already closed generator" when moving folder with assets fixed Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—

Full changelog

What's Changed

Rename update guide from V12 to V13 to V12 to V2026 by @jdreesen in https://github.com/pimcore/pimcore/pull/19105
Fix Pimcore version in upgrade docs by @jdreesen in https://github.com/pimcore/pimcore/pull/19101
[Security]: Improve Composite Index in ClassDefnition by @kingjia90 in https://github.com/pimcore/pimcore/pull/19108
[Security]: Add permission check for view access in Word Export TranslationController by @kingjia90 in https://github.com/pimcore/pimcore/pull/19112
[Bug, InstallBundle] Decouple InstallerKernel from MicroKernelTrait private API by @mcop1 in https://github.com/pimcore/pimcore/pull/19113
[Security]: Harden unserializer and refine allowed classes by @kingjia90 in https://github.com/pimcore/pimcore/pull/19119
[Security]Enhance Authorization in WebDAV MOVE via unchecked asset move handling by @kingjia90 in https://github.com/pimcore/pimcore/pull/19120
Prefer storage-reported MIME type after asset write (fallback to stream sniffing) by @vrobert78 in https://github.com/pimcore/pimcore/pull/18900
[Bug, EC] PEES-942: Improve memory usage in asset custom settings migration by @kingjia90 in https://github.com/pimcore/pimcore/pull/19127
[Bug] Error message "Cannot traverse an already closed generator" pops up when moving folder with assets by @MartaMarija in https://github.com/pimcore/pimcore/pull/18968

Full Changelog: https://github.com/pimcore/pimcore/compare/v12.3.6...v12.3.7

Security Fixes

CVE‑2026‑XXXXX – Harden unserializer and refine allowed classes
CVE‑2026‑XXXXX – Add permission check for view access in Word Export TranslationController
CVE‑2026‑XXXXX – Enhance Authorization in WebDAV MOVE via unchecked asset move handling

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Pimcore

Get notified when new releases ship.

About Pimcore

Multi-channel experience and engagement management platform.

All releases →

Pimcore

Summary

Changes in this release

What's Changed

Security Fixes

Related context

Related tools