CVE-2021-39166
8.0 HIGHPimcore is an open source data & experience management platform
Published: 2021-09-01 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.0 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- CWE
- CWE-79
Affected products
| Vendor | Product |
|---|---|
| pimcore | pimcore |
Description
Pimcore is an open source data & experience management platform. Prior to version 10.1.2, text-values were not properly escaped before printed in the version preview. This allowed XSS by authenticated users with access to the resources. This issue is patched in Pimcore version 10.1.2.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39166
- [Patch]https://github.com/pimcore/pimcore/pull/10170
- [Patch]https://github.com/pimcore/pimcore/security/advisories/GHSA-w6j8-jc36-x5q9
- [Patch]https://github.com/pimcore/pimcore/pull/10170
- [Patch]https://github.com/pimcore/pimcore/security/advisories/GHSA-w6j8-jc36-x5q9
Related CVEs
Same vendor
- CVE-2026-5362 — An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cau... (5.4 MEDIUM)
- CVE-2021-39189 — Pimcore is an open source data & experience management platform (5.3 MEDIUM)
- CVE-2021-39170 — Pimcore is an open source data & experience management platform (8.0 HIGH)
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
- CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)