A vulnerability was found in Pimcore up to 2025.4.5/2026.1.5. It has been declared as critical. This impacts the function
token of the file /pimcore-studio/api/login/token of the component Password Reset. Executing a manipulation of the argument resetPasswordUrl can lead to weak password recovery.
This vulnerability is registered as CVE-2026-55207. It is possible to launch the attack remotely. No exploit is available.