CVE-2026-23496

EUVD-2026-2726

15.01.2026, 17:16

Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
GitHub_M	CNA	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
pimcore	web2print_tools	𝑥 < 5.2.2
pimcore	web2print_tools	6.0.0 ≤ 𝑥 < 6.1.1

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

References

https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r

https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1

https://github.com/pimcore/web2print-tools/pull/108

https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2

https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1

https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r