{"advisories":{"verbb\/formie":[{"advisoryId":"PKSA-2h9w-qq3j-93vt","packageName":"verbb\/formie","remoteId":"GHSA-pgxq-p76c-x9cg","title":"formie\u0027s unauthenticated front-end submission editing can overwrite existing submissions","link":"https:\/\/github.com\/advisories\/GHSA-pgxq-p76c-x9cg","cve":"CVE-2026-47266","affectedVersions":"\u003C2.2.21|\u003E=3.0.0,\u003C3.1.26","source":"GitHub","reportedAt":"2026-05-29 22:19:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pgxq-p76c-x9cg"}]},{"advisoryId":"PKSA-snft-3cv8-v5p5","packageName":"verbb\/formie","remoteId":"GHSA-x7m9-mwc2-g6w2","title":"Formie: Pre-authenticated server-side template injection in Hidden fields","link":"https:\/\/github.com\/advisories\/GHSA-x7m9-mwc2-g6w2","cve":"CVE-2026-45697","affectedVersions":"\u003C2.2.20|\u003E=3.0.0-beta.1,\u003C3.1.24","source":"GitHub","reportedAt":"2026-05-18 17:23:39","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-x7m9-mwc2-g6w2"}]}],"admidio\/admidio":[{"advisoryId":"PKSA-7hzm-szv2-dny3","packageName":"admidio\/admidio","remoteId":"GHSA-xg76-5qj2-2hhv","title":"Admidio: CSRF in SSO client `enable` action toggles SAML\/OIDC clients without token validation","link":"https:\/\/github.com\/advisories\/GHSA-xg76-5qj2-2hhv","cve":"CVE-2026-47229","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:01:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xg76-5qj2-2hhv"}]},{"advisoryId":"PKSA-hs5n-pnrm-d3b9","packageName":"admidio\/admidio","remoteId":"GHSA-q6w3-hpfv-rg36","title":"Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders","link":"https:\/\/github.com\/advisories\/GHSA-q6w3-hpfv-rg36","cve":"CVE-2026-47230","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:05:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q6w3-hpfv-rg36"}]},{"advisoryId":"PKSA-3qmd-8hcr-xs96","packageName":"admidio\/admidio","remoteId":"GHSA-x628-457g-2pw9","title":"Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders","link":"https:\/\/github.com\/advisories\/GHSA-x628-457g-2pw9","cve":"CVE-2026-47231","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:06:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-x628-457g-2pw9"}]},{"advisoryId":"PKSA-94fb-rmqx-1b5r","packageName":"admidio\/admidio","remoteId":"GHSA-4rgq-38mh-9xqg","title":"Admidio PKCS#12 private key export action lacks CSRF protection","link":"https:\/\/github.com\/advisories\/GHSA-4rgq-38mh-9xqg","cve":"CVE-2026-47232","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:07:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4rgq-38mh-9xqg"}]},{"advisoryId":"PKSA-rcfv-x5hj-zr3k","packageName":"admidio\/admidio","remoteId":"GHSA-mch8-wf3h-6x88","title":"Admidio writes session IDs and auto-login cookie values to application logs","link":"https:\/\/github.com\/advisories\/GHSA-mch8-wf3h-6x88","cve":"CVE-2026-47234","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:07:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mch8-wf3h-6x88"}]},{"advisoryId":"PKSA-k742-4y2v-1nnc","packageName":"admidio\/admidio","remoteId":"GHSA-xw54-c3mx-9pm3","title":"Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` \u2014 incomplete fix of #2024","link":"https:\/\/github.com\/advisories\/GHSA-xw54-c3mx-9pm3","cve":"CVE-2026-47233","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:09:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xw54-c3mx-9pm3"}]},{"advisoryId":"PKSA-wkrr-fx7h-y1x9","packageName":"admidio\/admidio","remoteId":"GHSA-qc4c-hrmc-4f78","title":"Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges","link":"https:\/\/github.com\/advisories\/GHSA-qc4c-hrmc-4f78","cve":"CVE-2026-47226","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 21:54:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qc4c-hrmc-4f78"}]},{"advisoryId":"PKSA-34vw-5145-vh4w","packageName":"admidio\/admidio","remoteId":"GHSA-rwjr-qjj3-mq2f","title":"Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules\/categories.php`","link":"https:\/\/github.com\/advisories\/GHSA-rwjr-qjj3-mq2f","cve":"CVE-2026-47227","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 21:57:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rwjr-qjj3-mq2f"}]},{"advisoryId":"PKSA-z3z8-m2ny-zj6b","packageName":"admidio\/admidio","remoteId":"GHSA-mx25-j3rc-6w2w","title":"Admidio\u0027s CSRF in registration `send_login` mode resets arbitrary user passwords","link":"https:\/\/github.com\/advisories\/GHSA-mx25-j3rc-6w2w","cve":"CVE-2026-47228","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 21:58:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mx25-j3rc-6w2w"}]}],"phanan\/koel":[{"advisoryId":"PKSA-bprq-tfgm-1hd2","packageName":"phanan\/koel","remoteId":"GHSA-7j2f-6h2r-6cqc","title":"Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs","link":"https:\/\/github.com\/advisories\/GHSA-7j2f-6h2r-6cqc","cve":"CVE-2026-47260","affectedVersions":"\u003C=9.3.4","source":"GitHub","reportedAt":"2026-05-29 19:56:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7j2f-6h2r-6cqc"}]}],"ezsystems\/ezpublish-legacy":[{"advisoryId":"PKSA-vrcj-tzjw-khtt","packageName":"ezsystems\/ezpublish-legacy","remoteId":"GHSA-xg9x-h37w-h3r3","title":"ezsystems\/ezpublish-legacy has a SQL injection in dfscleanup","link":"https:\/\/github.com\/advisories\/GHSA-xg9x-h37w-h3r3","cve":"CVE-2026-38739","affectedVersions":"=2019.03","source":"GitHub","reportedAt":"2026-05-29 19:07:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xg9x-h37w-h3r3"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-vtjk-w45q-7qyz","packageName":"froxlor\/froxlor","remoteId":"GHSA-mq5v-pxpm-8jw2","title":"Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path","link":"https:\/\/github.com\/advisories\/GHSA-mq5v-pxpm-8jw2","cve":"CVE-2026-41236","affectedVersions":"=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:40:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mq5v-pxpm-8jw2"}]},{"advisoryId":"PKSA-sn72-k1q6-w5r5","packageName":"froxlor\/froxlor","remoteId":"GHSA-j6fm-9rfm-j5hx","title":"Froxlor has an incomplete fix for CVE-2026-30932","link":"https:\/\/github.com\/advisories\/GHSA-j6fm-9rfm-j5hx","cve":"CVE-2026-41237","affectedVersions":"\u003C=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:45:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j6fm-9rfm-j5hx"}]},{"advisoryId":"PKSA-yjh3-nghh-xpft","packageName":"froxlor\/froxlor","remoteId":"GHSA-gcv3-5v9q-fmhh","title":"Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement","link":"https:\/\/github.com\/advisories\/GHSA-gcv3-5v9q-fmhh","cve":"CVE-2026-41235","affectedVersions":"=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:36:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gcv3-5v9q-fmhh"}]}],"symfony\/ux-live-component":[{"advisoryId":"PKSA-kwkg-rq7h-gh18","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49208.yaml","title":"symfony\/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-89g7-22c8-3j23","cve":"CVE-2026-49208","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49208.yaml"}]},{"advisoryId":"PKSA-tv34-cfvx-rr9r","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49209.yaml","title":"symfony\/ux-live-component Denial of service via unbounded batch action requests","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-mm82-c99c-h2cf","cve":"CVE-2026-49209","affectedVersions":"\u003E=2.5.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49209.yaml"}]},{"advisoryId":"PKSA-ks3q-z9y3-61pz","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49215.yaml","title":"symfony\/ux-live-component CSRF Protection Bypass: Accept Header is CORS-Safelisted","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-4m4j-hmqq-3gxm","cve":"CVE-2026-49215","affectedVersions":"\u003E=2.22.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49215.yaml"}]},{"advisoryId":"PKSA-87hx-5gp4-x12b","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49210.yaml","title":"symfony\/ux-live-component XSS via attacker-controlled child component tag","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-38x5-rcv4-xf7x","cve":"CVE-2026-49210","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49210.yaml"}]},{"advisoryId":"PKSA-wxdb-kw41-yhdy","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49212.yaml","title":"symfony\/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-34w5-c283-j9fg","cve":"CVE-2026-49212","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49212.yaml"}]}],"symfony\/ux-autocomplete":[{"advisoryId":"PKSA-q7f1-2s55-5c1z","packageName":"symfony\/ux-autocomplete","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49216.yaml","title":"symfony\/ux-autocomplete XSS via unescaped AJAX response data","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-mwqm-4fw3-cjvr","cve":"CVE-2026-49216","affectedVersions":"\u003E=2.2.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49216.yaml"}]},{"advisoryId":"PKSA-msh7-gxqk-k56q","packageName":"symfony\/ux-autocomplete","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49211.yaml","title":"symfony\/ux-autocomplete Information exposure via unescaped LIKE wildcards in EntitySearchUtil","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-946h-jp5c-8fvh","cve":"CVE-2026-49211","affectedVersions":"\u003E=2.2.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49211.yaml"}]}],"pimcore\/pimcore":[{"advisoryId":"PKSA-vd5r-2gyh-m6cc","packageName":"pimcore\/pimcore","remoteId":"GHSA-jwcc-gv4m-93x6","title":"Pimcore has a CustomReports Share Bypass","link":"https:\/\/github.com\/advisories\/GHSA-jwcc-gv4m-93x6","cve":"CVE-2026-45704","affectedVersions":"\u003C=12.3.5","source":"GitHub","reportedAt":"2026-05-27 22:34:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jwcc-gv4m-93x6"}]},{"advisoryId":"PKSA-v5bg-33q7-q8zj","packageName":"pimcore\/pimcore","remoteId":"GHSA-332x-r494-54fq","title":"Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export","link":"https:\/\/github.com\/advisories\/GHSA-332x-r494-54fq","cve":"CVE-2026-45703","affectedVersions":"\u003C=12.3.6","source":"GitHub","reportedAt":"2026-05-27 22:27:18","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-332x-r494-54fq"}]},{"advisoryId":"PKSA-y4yc-6g1b-qfqz","packageName":"pimcore\/pimcore","remoteId":"GHSA-wc7j-g8wx-m2qx","title":"Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling","link":"https:\/\/github.com\/advisories\/GHSA-wc7j-g8wx-m2qx","cve":"CVE-2026-45260","affectedVersions":"\u003C=12.3.6","source":"GitHub","reportedAt":"2026-05-27 17:17:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wc7j-g8wx-m2qx"}]},{"advisoryId":"PKSA-882j-k212-wjbf","packageName":"pimcore\/pimcore","remoteId":"GHSA-36fc-7wjg-mfvj","title":"Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction","link":"https:\/\/github.com\/advisories\/GHSA-36fc-7wjg-mfvj","cve":"CVE-2026-45162","affectedVersions":"\u003C=12.3.6","source":"GitHub","reportedAt":"2026-05-27 16:57:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-36fc-7wjg-mfvj"}]},{"advisoryId":"PKSA-kp19-xmdp-rvyj","packageName":"pimcore\/pimcore","remoteId":"GHSA-3234-gxc3-pq6f","title":"Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration","link":"https:\/\/github.com\/advisories\/GHSA-3234-gxc3-pq6f","cve":"CVE-2026-44739","affectedVersions":"\u003C=12.3.5","source":"GitHub","reportedAt":"2026-05-27 00:35:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3234-gxc3-pq6f"}]},{"advisoryId":"PKSA-vp19-ydt7-tws9","packageName":"pimcore\/pimcore","remoteId":"GHSA-r2f4-ff2p-xc64","title":"Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import\/save","link":"https:\/\/github.com\/advisories\/GHSA-r2f4-ff2p-xc64","cve":"CVE-2026-5394","affectedVersions":"\u003C=12.3.6","source":"GitHub","reportedAt":"2026-05-28 20:47:10","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r2f4-ff2p-xc64"}]}],"automad\/automad":[{"advisoryId":"PKSA-v8bn-6yk2-7qjk","packageName":"automad\/automad","remoteId":"GHSA-xm76-r88j-vm3g","title":"Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint","link":"https:\/\/github.com\/advisories\/GHSA-xm76-r88j-vm3g","cve":"CVE-2026-45332","affectedVersions":"\u003E=2.0.0-alpha.1,\u003C=2.0.0-beta.27","source":"GitHub","reportedAt":"2026-05-27 21:32:31","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xm76-r88j-vm3g"}]}],"getkirby\/cms":[{"advisoryId":"PKSA-d956-rcc1-9n2f","packageName":"getkirby\/cms","remoteId":"GHSA-qvjf-922g-pj44","title":"Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend","link":"https:\/\/github.com\/advisories\/GHSA-qvjf-922g-pj44","cve":"CVE-2026-45368","affectedVersions":"\u003E=5.0.0,\u003C=5.4.0|\u003C=4.9.0","source":"GitHub","reportedAt":"2026-05-27 17:42:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qvjf-922g-pj44"}]},{"advisoryId":"PKSA-q7k8-c5gf-pkgc","packageName":"getkirby\/cms","remoteId":"GHSA-39vq-49qm-r2mc","title":"Kirby CMS\u0027s content locks disclose IDs and emails of inaccessible users from `users.access\/list` permissions","link":"https:\/\/github.com\/advisories\/GHSA-39vq-49qm-r2mc","cve":"CVE-2026-45334","affectedVersions":"\u003E=5.0.0,\u003C=5.4.0|\u003C=4.9.0","source":"GitHub","reportedAt":"2026-05-27 17:23:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-39vq-49qm-r2mc"}]},{"advisoryId":"PKSA-ycvm-k4m4-tr9m","packageName":"getkirby\/cms","remoteId":"GHSA-2xw4-v2wx-hqq9","title":"Kirby CMS\u0027s `pages.access` permission is not checked during rendering of page drafts","link":"https:\/\/github.com\/advisories\/GHSA-2xw4-v2wx-hqq9","cve":"CVE-2026-44176","affectedVersions":"\u003E=5.0.0,\u003C=5.4.0|\u003C=4.9.0","source":"GitHub","reportedAt":"2026-05-26 23:55:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2xw4-v2wx-hqq9"}]},{"advisoryId":"PKSA-82wy-dsmt-xgpc","packageName":"getkirby\/cms","remoteId":"GHSA-9hx7-c53c-v6x8","title":"Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup","link":"https:\/\/github.com\/advisories\/GHSA-9hx7-c53c-v6x8","cve":"CVE-2026-44177","affectedVersions":"\u003E=5.3.0,\u003C=5.4.0","source":"GitHub","reportedAt":"2026-05-26 23:56:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9hx7-c53c-v6x8"}]},{"advisoryId":"PKSA-hhnz-p4k9-sfyd","packageName":"getkirby\/cms","remoteId":"GHSA-86rh-h242-j8xp","title":"Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-86rh-h242-j8xp","cve":"CVE-2026-44174","affectedVersions":"\u003E=5.0.0,\u003C=5.4.0|\u003C=4.9.0","source":"GitHub","reportedAt":"2026-05-26 23:47:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-86rh-h242-j8xp"}]},{"advisoryId":"PKSA-g7d2-4qf5-mg45","packageName":"getkirby\/cms","remoteId":"GHSA-5fhx-9q32-q257","title":"Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend","link":"https:\/\/github.com\/advisories\/GHSA-5fhx-9q32-q257","cve":"CVE-2026-44175","affectedVersions":"\u003E=5.0.0,\u003C=5.4.0|\u003C=4.9.0","source":"GitHub","reportedAt":"2026-05-26 23:49:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5fhx-9q32-q257"}]}],"twig\/twig":[{"advisoryId":"PKSA-fbvq-z33h-r2np","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48808.yaml","title":"Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`","link":"https:\/\/symfony.com\/blog\/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface","cve":"CVE-2026-48808","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48808.yaml"}]},{"advisoryId":"PKSA-g9zw-qxh8-pq8w","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48805.yaml","title":"Sandbox state regression in deprecated internal wrappers in `src\/Resources\/core.php`","link":"https:\/\/symfony.com\/blog\/cve-2026-48805-sandbox-state-regression-in-deprecated-internal-wrappers-in-src-resources-core-php","cve":"CVE-2026-48805","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48805.yaml"}]},{"advisoryId":"PKSA-yd6k-t2gh-1m43","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46636.yaml","title":"Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders","link":"https:\/\/symfony.com\/blog\/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders","cve":"CVE-2026-46636","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46636.yaml"}]},{"advisoryId":"PKSA-1tmc-rt7x-12w6","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48806.yaml","title":"Sandbox `__toString()` policy bypass via dynamic mapping keys","link":"https:\/\/symfony.com\/blog\/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys","cve":"CVE-2026-48806","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48806.yaml"}]},{"advisoryId":"PKSA-xx6c-6d96-db2w","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48807.yaml","title":"Sandbox `__toString()` policy bypass via `Traversable` in `join`\/`replace` and `in`\/`not in` operators","link":"https:\/\/symfony.com\/blog\/cve-2026-48807-sandbox-tostring-policy-bypass-via-traversable-in-join-replace-and-in-not-in-operators","cve":"CVE-2026-48807","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48807.yaml"}]},{"advisoryId":"PKSA-5k7f-wvjj-jrgw","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46640.yaml","title":"Arbitrary PHP code execution via `_self.(\u003Cstring\u003E)` macro-reference compilation","link":"https:\/\/symfony.com\/cve-2026-46640","cve":"CVE-2026-46640","affectedVersions":"\u003E=3.15.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-45vw-wh46-2vx8"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46640.yaml"}]},{"advisoryId":"PKSA-sjvz-tbbr-vwth","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46628.yaml","title":"The `spaceless` filter implicitly marks its output as safe","link":"https:\/\/symfony.com\/cve-2026-46628","cve":"CVE-2026-46628","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-4j38-f5cw-54h7"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46628.yaml"}]},{"advisoryId":"PKSA-h8hf-ytnd-5t9q","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46633.yaml","title":"PHP code injection via `{% use %}` template name","link":"https:\/\/symfony.com\/cve-2026-46633","cve":"CVE-2026-46633","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-7p85-w9px-jpjp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46633.yaml"}]},{"advisoryId":"PKSA-wwb1-81rc-pd65","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-47730.yaml","title":"XSS in profiler HtmlDumper via unescaped template and profile names","link":"https:\/\/symfony.com\/cve-2026-47730","cve":"CVE-2026-47730","affectedVersions":"\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-47730.yaml"}]},{"advisoryId":"PKSA-hgmw-wn4d-hpcy","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46639.yaml","title":"Sandbox property and method bypass via object-destructuring assignment","link":"https:\/\/symfony.com\/cve-2026-46639","cve":"CVE-2026-46639","affectedVersions":"\u003E=3.24.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mm6w-gr99-p3jj"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46639.yaml"}]},{"advisoryId":"PKSA-kvv6-36cr-fkzb","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46627.yaml","title":"Sandbox does not protect against resource exhaustion","link":"https:\/\/symfony.com\/cve-2026-46627","cve":"CVE-2026-46627","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46627.yaml"}]},{"advisoryId":"PKSA-n14z-jjjg-g8vd","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46635.yaml","title":"Sandbox property allowlist bypass via the `column` filter (array_column on objects)","link":"https:\/\/symfony.com\/cve-2026-46635","cve":"CVE-2026-46635","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-vcc8-phrv-43wj"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46635.yaml"}]},{"advisoryId":"PKSA-3mcc-k66d-pydb","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46638.yaml","title":"`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)","link":"https:\/\/symfony.com\/cve-2026-46638","cve":"CVE-2026-46638","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7fxw-r6jv-74c8"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46638.yaml"}]},{"advisoryId":"PKSA-gw7n-z4yx-7xjt","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-24425.yaml","title":"Possible sandbox bypass when using a source policy","link":"https:\/\/symfony.com\/cve-2026-24425","cve":"CVE-2026-24425","affectedVersions":"\u003E=2.16.0,\u003C3.0.0|\u003E=3.9.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-24425.yaml"}]},{"advisoryId":"PKSA-dpx1-78wg-1kqs","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-47732.yaml","title":"Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points","link":"https:\/\/symfony.com\/cve-2026-47732","cve":"CVE-2026-47732","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-47732.yaml"}]},{"advisoryId":"PKSA-21g2-dzjv-sky5","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46634.yaml","title":"`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name","link":"https:\/\/symfony.com\/cve-2026-46634","cve":"CVE-2026-46634","affectedVersions":"\u003E=3.9.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-24x9-r6q4-q93w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46634.yaml"}]}],"symfony\/mailomat-mailer":[{"advisoryId":"PKSA-9y9v-rcsm-h82j","packageName":"symfony\/mailomat-mailer","remoteId":"symfony\/mailomat-mailer\/CVE-2026-48747.yaml","title":"CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade","link":"https:\/\/symfony.com\/cve-2026-48747","cve":"CVE-2026-48747","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailomat-mailer\/CVE-2026-48747.yaml"}]}],"symfony\/http-foundation":[{"advisoryId":"PKSA-y6py-qpv1-h52p","packageName":"symfony\/http-foundation","remoteId":"symfony\/http-foundation\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-foundation\/CVE-2026-48736.yaml"}]}],"symfony\/symfony":[{"advisoryId":"PKSA-bd71-n14y-wh1d","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=5.4.0,\u003C5.4.53|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48736.yaml"}]},{"advisoryId":"PKSA-qpkt-z1gq-qf6m","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48761.yaml","title":"CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003Cobject\u003E, \u003Capplet\u003E, \u003Ciframe\u003E, \u003Cimg\u003E and the URL Inside \u003Cmeta http-equiv=\u0022refresh\u0022\u003E content","link":"https:\/\/symfony.com\/cve-2026-48761","cve":"CVE-2026-48761","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48761.yaml"}]},{"advisoryId":"PKSA-nshj-ydrr-y3c1","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48784.yaml","title":"CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `..\/` or `.\/` \u2192 Generated URL Collapses Off-Route Under RFC 3986 Normalization","link":"https:\/\/symfony.com\/cve-2026-48784","cve":"CVE-2026-48784","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48784.yaml"}]},{"advisoryId":"PKSA-v1cq-8qyb-2p5n","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48747.yaml","title":"CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade","link":"https:\/\/symfony.com\/cve-2026-48747","cve":"CVE-2026-48747","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48747.yaml"}]},{"advisoryId":"PKSA-gc1j-s49p-r1kv","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48760.yaml","title":"CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense","link":"https:\/\/symfony.com\/cve-2026-48760","cve":"CVE-2026-48760","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48760.yaml"}]},{"advisoryId":"PKSA-pjp2-q1z1-mmvn","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48489.yaml","title":"CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes","link":"https:\/\/symfony.com\/cve-2026-48489","cve":"CVE-2026-48489","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48489.yaml"}]},{"advisoryId":"PKSA-2zh8-n335-x575","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45304.yaml","title":"CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion (\u0022Billion Laughs\u0022)","link":"https:\/\/symfony.com\/cve-2026-45304","cve":"CVE-2026-45304","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-4qpc-3hr4-r2p4"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45304.yaml"}]},{"advisoryId":"PKSA-9sj3-tcvg-s7g4","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45068.yaml","title":"CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address","link":"https:\/\/symfony.com\/cve-2026-45068","cve":"CVE-2026-45068","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xx3c-qf5g-hc39"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45068.yaml"}]},{"advisoryId":"PKSA-qgpb-b2wz-rty6","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45070.yaml","title":"CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names","link":"https:\/\/symfony.com\/cve-2026-45070","cve":"CVE-2026-45070","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vqc8-7275-q272"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45070.yaml"}]},{"advisoryId":"PKSA-j6yc-z95h-xyjq","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45305.yaml","title":"CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex","link":"https:\/\/symfony.com\/cve-2026-45305","cve":"CVE-2026-45305","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-9frc-8383-795m"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45305.yaml"}]},{"advisoryId":"PKSA-kp1y-8sfh-4r87","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45753.yaml","title":"CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action\/formaction\/poster\/cite: javascript: URI Survives Sanitization (XSS)","link":"https:\/\/symfony.com\/cve-2026-45753","cve":"CVE-2026-45753","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hhg7-c65m-h7ff"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45753.yaml"}]},{"advisoryId":"PKSA-9ss4-yr44-h3bt","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45071.yaml","title":"CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true","link":"https:\/\/symfony.com\/cve-2026-45071","cve":"CVE-2026-45071","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-x6g4-fwcc-jj8w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45071.yaml"}]},{"advisoryId":"PKSA-3ds8-wrg2-pjdq","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-64hg-93w9-fc35"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45754.yaml"}]},{"advisoryId":"PKSA-rgzg-p3v4-grbh","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-47212.yaml","title":"CVE-2026-47212: Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-47212","cve":"CVE-2026-47212","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-55rj-x2vc-4whq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-47212.yaml"}]},{"advisoryId":"PKSA-94ry-294g-7bbc","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45756.yaml","title":"CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()\/search() Without Limits: ReDoS","link":"https:\/\/symfony.com\/cve-2026-45756","cve":"CVE-2026-45756","affectedVersions":"\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-8v8v-g73j-492j"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45756.yaml"}]},{"advisoryId":"PKSA-13hy-qbkf-1ty7","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45077.yaml","title":"CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener","link":"https:\/\/symfony.com\/cve-2026-45077","cve":"CVE-2026-45077","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m7v2-7gxm-vc2v"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45077.yaml"}]},{"advisoryId":"PKSA-7tp5-63ss-rycr","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45069.yaml","title":"CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud\/iss\/exp Claims","link":"https:\/\/symfony.com\/cve-2026-45069","cve":"CVE-2026-45069","affectedVersions":"\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-29fc-p6c4-24cg"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45069.yaml"}]},{"advisoryId":"PKSA-29h7-kzb3-pdfy","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45073.yaml","title":"CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix","link":"https:\/\/symfony.com\/cve-2026-45073","cve":"CVE-2026-45073","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6qh9-h6wf-jgqc"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45073.yaml"}]},{"advisoryId":"PKSA-vty3-cvqg-rtn4","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45066.yaml","title":"CVE-2026-45066: HtmlSanitizer allowLinkHosts() \/ allowMediaHosts() Bypass via URL-Parser Differentials and \u003Carea\u003E Misclassification","link":"https:\/\/symfony.com\/cve-2026-45066","cve":"CVE-2026-45066","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qc95-4862-92fh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45066.yaml"}]},{"advisoryId":"PKSA-t5z9-jvfg-zqhb","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45064.yaml","title":"CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters \u2192 Visual href Spoofing","link":"https:\/\/symfony.com\/cve-2026-45064","cve":"CVE-2026-45064","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5vq-qfcg-4m6p"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45064.yaml"}]},{"advisoryId":"PKSA-1jhn-nv8n-vjk2","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45755.yaml","title":"CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45755","cve":"CVE-2026-45755","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-59f3-vp2f-mp9w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45755.yaml"}]},{"advisoryId":"PKSA-wyg9-y12c-3kdv","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45063.yaml","title":"CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator","link":"https:\/\/symfony.com\/cve-2026-45063","cve":"CVE-2026-45063","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ph86-p8f6-f9r2"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45063.yaml"}]},{"advisoryId":"PKSA-3f27-q682-kfn9","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45065.yaml","title":"CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation \u2192 Off-Site \/\/host URL Injection","link":"https:\/\/symfony.com\/cve-2026-45065","cve":"CVE-2026-45065","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-72xp-p242-47p9"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45065.yaml"}]},{"advisoryId":"PKSA-92n4-ftnd-xj82","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-46626.yaml","title":"CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV\/APP_DEBUG via parse_str\/SAPI Argv Mismatch","link":"https:\/\/symfony.com\/cve-2026-46626","cve":"CVE-2026-46626","affectedVersions":"\u003E=5.4.46,\u003C5.4.52|\u003E=6.4.14,\u003C6.4.40|\u003E=7.1.7,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-46626.yaml"}]},{"advisoryId":"PKSA-z2fd-3m4y-rrss","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45067.yaml","title":"CVE-2026-45067: Email Header \/ SMTP Command Injection via CRLF in Symfony\\Component\\Mime\\Address","link":"https:\/\/symfony.com\/cve-2026-45067","cve":"CVE-2026-45067","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qpmx-3rfj-7rhv"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45067.yaml"}]},{"advisoryId":"PKSA-mbth-mcd4-2tr8","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45074.yaml","title":"CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header \u2192 Cross-Service Ticket Replay","link":"https:\/\/symfony.com\/cve-2026-45074","cve":"CVE-2026-45074","affectedVersions":"\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j8gj-9rm5-4xhx"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45074.yaml"}]},{"advisoryId":"PKSA-wps4-zyhx-xws4","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45133.yaml","title":"CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings","link":"https:\/\/symfony.com\/cve-2026-45133","cve":"CVE-2026-45133","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-c2p3-7m5p-cv8x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45133.yaml"}]},{"advisoryId":"PKSA-smg5-pq2q-kjkh","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45072.yaml","title":"CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering","link":"https:\/\/symfony.com\/cve-2026-45072","cve":"CVE-2026-45072","affectedVersions":"\u003E=6.4.24,\u003C6.4.40|\u003E=7.2.9,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hmr5-2xcr-v8pp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45072.yaml"}]},{"advisoryId":"PKSA-xxm6-3p32-rqz7","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6439-2f28-8p8q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45075.yaml"}]}],"symfony\/security-http":[{"advisoryId":"PKSA-c28x-6bj5-8spx","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-48489.yaml","title":"CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes","link":"https:\/\/symfony.com\/cve-2026-48489","cve":"CVE-2026-48489","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-48489.yaml"}]},{"advisoryId":"PKSA-jzjr-4n2h-knvd","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45069.yaml","title":"CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud\/iss\/exp Claims","link":"https:\/\/symfony.com\/cve-2026-45069","cve":"CVE-2026-45069","affectedVersions":"\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-29fc-p6c4-24cg"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45069.yaml"}]},{"advisoryId":"PKSA-tbsf-h7vc-j7hn","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45063.yaml","title":"CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator","link":"https:\/\/symfony.com\/cve-2026-45063","cve":"CVE-2026-45063","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ph86-p8f6-f9r2"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45063.yaml"}]},{"advisoryId":"PKSA-5df2-zpfk-xgsv","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45074.yaml","title":"CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header \u2192 Cross-Service Ticket Replay","link":"https:\/\/symfony.com\/cve-2026-45074","cve":"CVE-2026-45074","affectedVersions":"\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j8gj-9rm5-4xhx"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45074.yaml"}]},{"advisoryId":"PKSA-4tmc-tz3m-9xpb","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6439-2f28-8p8q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45075.yaml"}]}],"symfony\/http-client":[{"advisoryId":"PKSA-35by-yxtt-jc85","packageName":"symfony\/http-client","remoteId":"symfony\/http-client\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=5.4.0,\u003C5.4.53","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-client\/CVE-2026-48736.yaml"}]}],"symfony\/routing":[{"advisoryId":"PKSA-bf7t-jnpz-492k","packageName":"symfony\/routing","remoteId":"symfony\/routing\/CVE-2026-48784.yaml","title":"CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `..\/` or `.\/` \u2192 Generated URL Collapses Off-Route Under RFC 3986 Normalization","link":"https:\/\/symfony.com\/cve-2026-48784","cve":"CVE-2026-48784","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/routing\/CVE-2026-48784.yaml"}]},{"advisoryId":"PKSA-yc7t-91v9-99xs","packageName":"symfony\/routing","remoteId":"symfony\/routing\/CVE-2026-45065.yaml","title":"CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation \u2192 Off-Site \/\/host URL Injection","link":"https:\/\/symfony.com\/cve-2026-45065","cve":"CVE-2026-45065","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-72xp-p242-47p9"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/routing\/CVE-2026-45065.yaml"}]}],"symfony\/html-sanitizer":[{"advisoryId":"PKSA-3d8r-4bff-vcj1","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-48761.yaml","title":"CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003Cobject\u003E, \u003Capplet\u003E, \u003Ciframe\u003E, \u003Cimg\u003E and the URL Inside \u003Cmeta http-equiv=\u0022refresh\u0022\u003E content","link":"https:\/\/symfony.com\/cve-2026-48761","cve":"CVE-2026-48761","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-48761.yaml"}]},{"advisoryId":"PKSA-bvdf-tk8n-sbsf","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-48760.yaml","title":"CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense","link":"https:\/\/symfony.com\/cve-2026-48760","cve":"CVE-2026-48760","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-48760.yaml"}]},{"advisoryId":"PKSA-q2wy-m7mz-kg58","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-45753.yaml","title":"CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action\/formaction\/poster\/cite: javascript: URI Survives Sanitization (XSS)","link":"https:\/\/symfony.com\/cve-2026-45753","cve":"CVE-2026-45753","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hhg7-c65m-h7ff"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-45753.yaml"}]},{"advisoryId":"PKSA-jwvg-gphd-brbz","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-45066.yaml","title":"CVE-2026-45066: HtmlSanitizer allowLinkHosts() \/ allowMediaHosts() Bypass via URL-Parser Differentials and \u003Carea\u003E Misclassification","link":"https:\/\/symfony.com\/cve-2026-45066","cve":"CVE-2026-45066","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qc95-4862-92fh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-45066.yaml"}]},{"advisoryId":"PKSA-4fc7-y875-17k3","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-45064.yaml","title":"CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters \u2192 Visual href Spoofing","link":"https:\/\/symfony.com\/cve-2026-45064","cve":"CVE-2026-45064","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5vq-qfcg-4m6p"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-45064.yaml"}]}],"spatie\/schema-org":[{"advisoryId":"PKSA-6mmh-w4kg-c2xp","packageName":"spatie\/schema-org","remoteId":"spatie\/schema-org\/2026-04-20.yaml","title":"Cross-site scripting (XSS) via script break-out in toScript() output","link":"https:\/\/github.com\/spatie\/schema-org\/releases\/tag\/4.0.2","cve":null,"affectedVersions":"\u003E=3.23.1,\u003C4.0.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-20 00:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"spatie\/schema-org\/2026-04-20.yaml"}]}],"pimcore\/admin-ui-classic-bundle":[{"advisoryId":"PKSA-v29g-sqpm-mznn","packageName":"pimcore\/admin-ui-classic-bundle","remoteId":"GHSA-h4ph-crvj-9h92","title":"Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter","link":"https:\/\/github.com\/advisories\/GHSA-h4ph-crvj-9h92","cve":"CVE-2026-44741","affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-05-27 00:35:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-h4ph-crvj-9h92"}]}],"pterodactyl\/panel":[{"advisoryId":"PKSA-d16c-6bkx-pfvs","packageName":"pterodactyl\/panel","remoteId":"GHSA-fgmm-w5cx-vrfw","title":"Pterodactyl has a database resource limit bypass via race condition in Client API","link":"https:\/\/github.com\/advisories\/GHSA-fgmm-w5cx-vrfw","cve":"CVE-2026-35202","affectedVersions":"\u003C1.12.3","source":"GitHub","reportedAt":"2026-05-26 19:30:02","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-fgmm-w5cx-vrfw"}]}],"symfony\/polyfill":[{"advisoryId":"PKSA-df53-cqz9-c3zn","packageName":"symfony\/polyfill","remoteId":"symfony\/polyfill\/CVE-2026-46644.yaml","title":"CVE-2026-46644: symfony\/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence","link":"https:\/\/symfony.com\/cve-2026-46644","cve":"CVE-2026-46644","affectedVersions":"\u003E=1.17.1,\u003C1.38.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-2xf4-cg6j-vhgq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/polyfill\/CVE-2026-46644.yaml"}]}],"symfony\/polyfill-intl-idn":[{"advisoryId":"PKSA-dwsq-ppd2-mb1x","packageName":"symfony\/polyfill-intl-idn","remoteId":"symfony\/polyfill-intl-idn\/CVE-2026-46644.yaml","title":"CVE-2026-46644: symfony\/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence","link":"https:\/\/symfony.com\/cve-2026-46644","cve":"CVE-2026-46644","affectedVersions":"\u003E=1.17.1,\u003C1.38.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-2xf4-cg6j-vhgq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/polyfill-intl-idn\/CVE-2026-46644.yaml"}]}],"evoweb\/sf-register":[{"advisoryId":"PKSA-1gw5-qx8s-xyvr","packageName":"evoweb\/sf-register","remoteId":"evoweb\/sf-register\/CVE-2026-46721.yaml","title":"TYPO3-EXT-SA-2026-009: Broken Access Control in extension \u0022Frontend User Registration\u0022 (sf_register)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-009","cve":"CVE-2026-46721","affectedVersions":"\u003E=14.0.0,\u003C14.0.2|\u003C13.2.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 16:40:54","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"evoweb\/sf-register\/CVE-2026-46721.yaml"}]}],"tpwd\/ke_search":[{"advisoryId":"PKSA-cy57-p12b-t759","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml","title":"TYPO3-EXT-SA-2026-011: XML External Entity Injection in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46722","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003C5.6.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml"}]},{"advisoryId":"PKSA-ybqg-nm5d-my8d","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml","title":"TYPO3-EXT-SA-2026-011: Information Disclosure in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46724","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003C5.6.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml"}]},{"advisoryId":"PKSA-pb46-78nq-81hw","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46723.yaml","title":"TYPO3-EXT-SA-2026-011: Path Traversal in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46723","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003C5.6.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46723.yaml"}]}],"mmc\/ceselector":[{"advisoryId":"PKSA-kfm7-j6tb-2qn9","packageName":"mmc\/ceselector","remoteId":"mmc\/ceselector\/CVE-2026-46725.yaml","title":"TYPO3-EXT-SA-2026-013: Remote Code Execution in extension \u0022Content Element Selector\u0022 (ceselector)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-013","cve":"CVE-2026-46725","affectedVersions":"\u003E=6.0.0,\u003C6.0.1|\u003E=5.0.0,\u003C5.0.1|\u003E=4.0.0,\u003C4.0.2|\u003C3.0.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-07 10:50:50","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"mmc\/ceselector\/CVE-2026-46725.yaml"}]}],"friendsoftypo3\/tt-address":[{"advisoryId":"PKSA-s9h4-6qfr-k554","packageName":"friendsoftypo3\/tt-address","remoteId":"friendsoftypo3\/tt-address\/CVE-2026-8827.yaml","title":"TYPO3-EXT-SA-2026-012: SQL Injection in extension \u0022Address List\u0022 (tt_address)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-012","cve":"CVE-2026-8827","affectedVersions":"\u003E=10.0.0,\u003C10.0.1|\u003E=9.0.0,\u003C9.1.1|\u003C8.1.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 15:13:22","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"friendsoftypo3\/tt-address\/CVE-2026-8827.yaml"}]}],"tomasnorre\/crawler":[{"advisoryId":"PKSA-bt63-cwpy-49h9","packageName":"tomasnorre\/crawler","remoteId":"tomasnorre\/crawler\/CVE-2026-8727.yaml","title":"TYPO3-EXT-SA-2026-008: Remote Code Execution in extension \u0022Site Crawler\u0022 (crawler)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-008","cve":"CVE-2026-8727","affectedVersions":"\u003E=12.0.0,\u003C12.0.11|\u003C11.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-11 19:18:44","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tomasnorre\/crawler\/CVE-2026-8727.yaml"}]}],"yeswiki\/yeswiki":[{"advisoryId":"PKSA-2myt-jw5p-f7jn","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-jwvv-qr7q-cv8j","title":"YesWiki: Unauthenticated SQL Injection","link":"https:\/\/github.com\/advisories\/GHSA-jwvv-qr7q-cv8j","cve":"CVE-2026-46670","affectedVersions":"\u003C4.6.4","source":"GitHub","reportedAt":"2026-05-22 15:39:07","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-jwvv-qr7q-cv8j"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-ybf5-231k-fw57","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-wj3q-vw2v-3rj3","title":"phpMyFAQ: SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-wj3q-vw2v-3rj3","cve":"CVE-2026-46360","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wj3q-vw2v-3rj3"}]},{"advisoryId":"PKSA-r4h3-pdnk-t517","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-h36g-93qx-rxgr","title":"phpMyFAQ: Stored XSS in FAQ Question\/Answer via Encode-Decode Bypass of removeAttributes() Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-h36g-93qx-rxgr","cve":"CVE-2026-46363","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h36g-93qx-rxgr"}]},{"advisoryId":"PKSA-bgqy-s1r8-zchm","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-5h62-f8fg-4w7q","title":"phpMyFAQ: Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags","link":"https:\/\/github.com\/advisories\/GHSA-5h62-f8fg-4w7q","cve":"CVE-2026-46365","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5h62-f8fg-4w7q"}]},{"advisoryId":"PKSA-bdr6-q3mq-xh2p","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9r8r-x3vg-6xh4","title":"phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check","link":"https:\/\/github.com\/advisories\/GHSA-9r8r-x3vg-6xh4","cve":"CVE-2026-45009","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9r8r-x3vg-6xh4"}]},{"advisoryId":"PKSA-64xv-jbdm-pg2q","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9qv9-8xv6-5p35","title":"phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation","link":"https:\/\/github.com\/advisories\/GHSA-9qv9-8xv6-5p35","cve":"CVE-2026-35676","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:45:53","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9qv9-8xv6-5p35"}]},{"advisoryId":"PKSA-ttcw-fg74-jv2w","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-xvp4-phqj-cjr3","title":"phpMyFAQ: IDOR Account Takeover ","link":"https:\/\/github.com\/advisories\/GHSA-xvp4-phqj-cjr3","cve":"CVE-2026-35671","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xvp4-phqj-cjr3"}]},{"advisoryId":"PKSA-jk8b-rmby-gztg","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gp95-j463-vv28","title":"phpMyFAQ: Default Empty API Token Authentication Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gp95-j463-vv28","cve":"CVE-2026-35672","affectedVersions":"\u003C=4.1.2","source":"GitHub","reportedAt":"2026-05-20 15:46:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gp95-j463-vv28"}]},{"advisoryId":"PKSA-x1b3-f9q9-1brm","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-w9xh-5f39-vq89","title":"phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username\/Email Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-w9xh-5f39-vq89","cve":"CVE-2026-35675","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w9xh-5f39-vq89"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-1str-48zy-4tqs","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-rmqr-h98c-qg2m","title":"phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins","link":"https:\/\/github.com\/advisories\/GHSA-rmqr-h98c-qg2m","cve":"CVE-2026-45008","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rmqr-h98c-qg2m"}]},{"advisoryId":"PKSA-148m-3rtw-sjhw","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-wj3q-vw2v-3rj3","title":"phpMyFAQ: SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-wj3q-vw2v-3rj3","cve":"CVE-2026-46360","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wj3q-vw2v-3rj3"}]},{"advisoryId":"PKSA-s9c3-zvvd-d3x2","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-h36g-93qx-rxgr","title":"phpMyFAQ: Stored XSS in FAQ Question\/Answer via Encode-Decode Bypass of removeAttributes() Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-h36g-93qx-rxgr","cve":"CVE-2026-46363","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h36g-93qx-rxgr"}]},{"advisoryId":"PKSA-1jtk-przd-y3xm","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-5h62-f8fg-4w7q","title":"phpMyFAQ: Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags","link":"https:\/\/github.com\/advisories\/GHSA-5h62-f8fg-4w7q","cve":"CVE-2026-46365","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5h62-f8fg-4w7q"}]},{"advisoryId":"PKSA-hs6b-6v19-kjgs","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-w42g-jj8w-fj77","title":"phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering","link":"https:\/\/github.com\/advisories\/GHSA-w42g-jj8w-fj77","cve":"CVE-2026-46367","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w42g-jj8w-fj77"}]},{"advisoryId":"PKSA-mvtd-8jbr-gzh5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9r8r-x3vg-6xh4","title":"phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check","link":"https:\/\/github.com\/advisories\/GHSA-9r8r-x3vg-6xh4","cve":"CVE-2026-45009","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9r8r-x3vg-6xh4"}]},{"advisoryId":"PKSA-1ckg-7bmf-xkmp","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9qv9-8xv6-5p35","title":"phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation","link":"https:\/\/github.com\/advisories\/GHSA-9qv9-8xv6-5p35","cve":"CVE-2026-35676","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:45:53","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9qv9-8xv6-5p35"}]},{"advisoryId":"PKSA-vdjw-v652-d3d9","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-xvp4-phqj-cjr3","title":"phpMyFAQ: IDOR Account Takeover ","link":"https:\/\/github.com\/advisories\/GHSA-xvp4-phqj-cjr3","cve":"CVE-2026-35671","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xvp4-phqj-cjr3"}]},{"advisoryId":"PKSA-xr26-9czp-vbgk","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-gp95-j463-vv28","title":"phpMyFAQ: Default Empty API Token Authentication Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gp95-j463-vv28","cve":"CVE-2026-35672","affectedVersions":"\u003C=4.1.2","source":"GitHub","reportedAt":"2026-05-20 15:46:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gp95-j463-vv28"}]},{"advisoryId":"PKSA-527c-n963-c1j5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-w9xh-5f39-vq89","title":"phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username\/Email Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-w9xh-5f39-vq89","cve":"CVE-2026-35675","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w9xh-5f39-vq89"}]}],"phpmyfaq":[{"advisoryId":"PKSA-sfg5-2fxf-g1n5","packageName":"phpmyfaq","remoteId":"GHSA-w42g-jj8w-fj77","title":"phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering","link":"https:\/\/github.com\/advisories\/GHSA-w42g-jj8w-fj77","cve":"CVE-2026-46367","affectedVersions":"\u003C4.1.2","source":"GitHub","reportedAt":"2026-05-15 21:31:32","composerRepository":null,"severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w42g-jj8w-fj77"}]}],"knplabs\/knp-snappy":[{"advisoryId":"PKSA-p1pz-jv1j-6msg","packageName":"knplabs\/knp-snappy","remoteId":"GHSA-c5fp-p67m-gq56","title":"Snappy : SSRF and local file read via the xsl-style-sheet option","link":"https:\/\/github.com\/advisories\/GHSA-c5fp-p67m-gq56","cve":"CVE-2026-46683","affectedVersions":"\u003C=1.6.0","source":"GitHub","reportedAt":"2026-05-21 20:20:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c5fp-p67m-gq56"}]},{"advisoryId":"PKSA-13wp-m816-mvdd","packageName":"knplabs\/knp-snappy","remoteId":"GHSA-vpr4-p6fq-85jc","title":"Snappy: Binary path is never shell-escaped due to an inverted is_executable check","link":"https:\/\/github.com\/advisories\/GHSA-vpr4-p6fq-85jc","cve":"CVE-2026-46643","affectedVersions":"\u003C=1.7.0","source":"GitHub","reportedAt":"2026-05-21 20:22:16","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vpr4-p6fq-85jc"}]}],"cockpit-hq\/cockpit":[{"advisoryId":"PKSA-by8z-q792-wbvd","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-ch4j-vcf5-58x5","title":"Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type\u0027s Display template option","link":"https:\/\/github.com\/advisories\/GHSA-ch4j-vcf5-58x5","cve":"CVE-2026-23695","affectedVersions":"\u003C=2.14.0","source":"GitHub","reportedAt":"2026-05-15 18:30:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-ch4j-vcf5-58x5"}]},{"advisoryId":"PKSA-dpw9-65w1-pksf","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-j2rx-4jg9-79mw","title":"Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type","link":"https:\/\/github.com\/advisories\/GHSA-j2rx-4jg9-79mw","cve":"CVE-2026-38991","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-29 18:31:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j2rx-4jg9-79mw"}]},{"advisoryId":"PKSA-gx1h-274c-423s","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-p46p-7pmj-m34f","title":"Cockpit is vulnerable to directory traversal","link":"https:\/\/github.com\/advisories\/GHSA-p46p-7pmj-m34f","cve":"CVE-2026-38993","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-29 18:31:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-p46p-7pmj-m34f"}]},{"advisoryId":"PKSA-496r-cnzn-ck12","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-fm6c-rhcf-7439","title":"Cockpit is vulnerable to arbitrary code execution","link":"https:\/\/github.com\/advisories\/GHSA-fm6c-rhcf-7439","cve":"CVE-2026-38992","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-29 15:30:39","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fm6c-rhcf-7439"}]}],"georgringer\/news":[{"advisoryId":"PKSA-grgc-xpj3-tvw1","packageName":"georgringer\/news","remoteId":"georgringer\/news\/CVE-2026-8726.yaml","title":"SQL Injection in extension \u0022News system\u0022 (news)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-010","cve":"CVE-2026-8726","affectedVersions":"\u003C11.4.4|\u003E=12.0.0,\u003C12.3.2|\u003E=13.0.0,\u003C13.0.2|\u003E=14.0.0,\u003C14.0.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 12:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"georgringer\/news\/CVE-2026-8726.yaml"}]}],"laktak\/hjson":[{"advisoryId":"PKSA-fmxt-7v2r-bbsn","packageName":"laktak\/hjson","remoteId":"GHSA-5wfc-hjrc-gq87","title":"hjson stack exhaustion vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-5wfc-hjrc-gq87","cve":"CVE-2023-34620","affectedVersions":"\u003C2.3.0","source":"GitHub","reportedAt":"2023-06-14 15:30:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5wfc-hjrc-gq87"}]}],"symfony\/mailtrap-mailer":[{"advisoryId":"PKSA-n517-312t-6vqg","packageName":"symfony\/mailtrap-mailer","remoteId":"symfony\/mailtrap-mailer\/CVE-2026-45755.yaml","title":"CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45755","cve":"CVE-2026-45755","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-59f3-vp2f-mp9w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailtrap-mailer\/CVE-2026-45755.yaml"}]}],"symfony\/lox24-notifier":[{"advisoryId":"PKSA-675k-fhbn-1yh5","packageName":"symfony\/lox24-notifier","remoteId":"symfony\/lox24-notifier\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-64hg-93w9-fc35"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/lox24-notifier\/CVE-2026-45754.yaml"}]}],"symfony\/mailjet-mailer":[{"advisoryId":"PKSA-swxr-w76k-fd2b","packageName":"symfony\/mailjet-mailer","remoteId":"symfony\/mailjet-mailer\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-64hg-93w9-fc35"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailjet-mailer\/CVE-2026-45754.yaml"}]}],"symfony\/yaml":[{"advisoryId":"PKSA-v5yj-8nmz-sk2q","packageName":"symfony\/yaml","remoteId":"symfony\/yaml\/CVE-2026-45304.yaml","title":"CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion (\u0022Billion Laughs\u0022)","link":"https:\/\/symfony.com\/cve-2026-45304","cve":"CVE-2026-45304","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-4qpc-3hr4-r2p4"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/yaml\/CVE-2026-45304.yaml"}]},{"advisoryId":"PKSA-ft77-7h5f-p3r6","packageName":"symfony\/yaml","remoteId":"symfony\/yaml\/CVE-2026-45305.yaml","title":"CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex","link":"https:\/\/symfony.com\/cve-2026-45305","cve":"CVE-2026-45305","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-9frc-8383-795m"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/yaml\/CVE-2026-45305.yaml"}]},{"advisoryId":"PKSA-b14r-zh1d-vdrc","packageName":"symfony\/yaml","remoteId":"symfony\/yaml\/CVE-2026-45133.yaml","title":"CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings","link":"https:\/\/symfony.com\/cve-2026-45133","cve":"CVE-2026-45133","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-c2p3-7m5p-cv8x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/yaml\/CVE-2026-45133.yaml"}]}],"symfony\/mime":[{"advisoryId":"PKSA-wtxr-p26d-nn42","packageName":"symfony\/mime","remoteId":"symfony\/mime\/CVE-2026-45070.yaml","title":"CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names","link":"https:\/\/symfony.com\/cve-2026-45070","cve":"CVE-2026-45070","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vqc8-7275-q272"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mime\/CVE-2026-45070.yaml"}]},{"advisoryId":"PKSA-2n2k-66v2-bwg3","packageName":"symfony\/mime","remoteId":"symfony\/mime\/CVE-2026-45067.yaml","title":"CVE-2026-45067: Email Header \/ SMTP Command Injection via CRLF in Symfony\\Component\\Mime\\Address","link":"https:\/\/symfony.com\/cve-2026-45067","cve":"CVE-2026-45067","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qpmx-3rfj-7rhv"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mime\/CVE-2026-45067.yaml"}]}],"symfony\/http-kernel":[{"advisoryId":"PKSA-dw7n-x7f5-zf63","packageName":"symfony\/http-kernel","remoteId":"symfony\/http-kernel\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6439-2f28-8p8q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-kernel\/CVE-2026-45075.yaml"}]}],"symfony\/monolog-bridge":[{"advisoryId":"PKSA-4wjj-gy1p-ft3r","packageName":"symfony\/monolog-bridge","remoteId":"symfony\/monolog-bridge\/CVE-2026-45077.yaml","title":"CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener","link":"https:\/\/symfony.com\/cve-2026-45077","cve":"CVE-2026-45077","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m7v2-7gxm-vc2v"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/monolog-bridge\/CVE-2026-45077.yaml"}]}],"symfony\/twilio-notifier":[{"advisoryId":"PKSA-fgw6-3k5j-cfkn","packageName":"symfony\/twilio-notifier","remoteId":"symfony\/twilio-notifier\/CVE-2026-47212.yaml","title":"CVE-2026-47212: Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-47212","cve":"CVE-2026-47212","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-55rj-x2vc-4whq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/twilio-notifier\/CVE-2026-47212.yaml"}]}],"symfony\/dom-crawler":[{"advisoryId":"PKSA-5r1g-c7b7-y1zg","packageName":"symfony\/dom-crawler","remoteId":"symfony\/dom-crawler\/CVE-2026-45071.yaml","title":"CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true","link":"https:\/\/symfony.com\/cve-2026-45071","cve":"CVE-2026-45071","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-x6g4-fwcc-jj8w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/dom-crawler\/CVE-2026-45071.yaml"}]}],"symfony\/twig-bridge":[{"advisoryId":"PKSA-11dz-rdmf-vfgt","packageName":"symfony\/twig-bridge","remoteId":"symfony\/twig-bridge\/CVE-2026-45072.yaml","title":"CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering","link":"https:\/\/symfony.com\/cve-2026-45072","cve":"CVE-2026-45072","affectedVersions":"\u003E=6.4.24,\u003C6.4.40","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hmr5-2xcr-v8pp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/twig-bridge\/CVE-2026-45072.yaml"}]}],"symfony\/cache":[{"advisoryId":"PKSA-z7t6-zt6p-wtng","packageName":"symfony\/cache","remoteId":"symfony\/cache\/CVE-2026-45073.yaml","title":"CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix","link":"https:\/\/symfony.com\/cve-2026-45073","cve":"CVE-2026-45073","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6qh9-h6wf-jgqc"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/cache\/CVE-2026-45073.yaml"}]}],"symfony\/json-path":[{"advisoryId":"PKSA-rj1d-mpts-8wrt","packageName":"symfony\/json-path","remoteId":"symfony\/json-path\/CVE-2026-45756.yaml","title":"CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()\/search() Without Limits: ReDoS","link":"https:\/\/symfony.com\/cve-2026-45756","cve":"CVE-2026-45756","affectedVersions":"\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-8v8v-g73j-492j"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/json-path\/CVE-2026-45756.yaml"}]}],"symfony\/mailer":[{"advisoryId":"PKSA-28rh-rzzn-djk4","packageName":"symfony\/mailer","remoteId":"symfony\/mailer\/CVE-2026-45068.yaml","title":"CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address","link":"https:\/\/symfony.com\/cve-2026-45068","cve":"CVE-2026-45068","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xx3c-qf5g-hc39"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailer\/CVE-2026-45068.yaml"}]}],"symfony\/runtime":[{"advisoryId":"PKSA-py8y-z9q7-q197","packageName":"symfony\/runtime","remoteId":"symfony\/runtime\/CVE-2026-46626.yaml","title":"CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV\/APP_DEBUG via parse_str\/SAPI Argv Mismatch","link":"https:\/\/symfony.com\/cve-2026-46626","cve":"CVE-2026-46626","affectedVersions":"\u003E=5.4.46,\u003C5.4.52|\u003E=6.4.14,\u003C6.4.40|\u003E=7.1.7,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/runtime\/CVE-2026-46626.yaml"}]}],"symfony\/web-profiler-bundle":[{"advisoryId":"PKSA-rg9h-crk2-m8zt","packageName":"symfony\/web-profiler-bundle","remoteId":"symfony\/web-profiler-bundle\/CVE-2026-45072.yaml","title":"CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering","link":"https:\/\/symfony.com\/cve-2026-45072","cve":"CVE-2026-45072","affectedVersions":"\u003E=7.2.9,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hmr5-2xcr-v8pp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/web-profiler-bundle\/CVE-2026-45072.yaml"}]}],"twig\/markdown-extra":[{"advisoryId":"PKSA-7b1y-jwqf-x6v6","packageName":"twig\/markdown-extra","remoteId":"twig\/markdown-extra\/CVE-2026-46637.yaml","title":"HTML-output filters in twig\/* extras incorrectly declared `is_safe =\u003E [\u0027all\u0027]`","link":"https:\/\/symfony.com\/cve-2026-46637","cve":"CVE-2026-46637","affectedVersions":"\u003E=2.12.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jv8m-2544-3pg3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/markdown-extra\/CVE-2026-46637.yaml"}]}],"twig\/intl-extra":[{"advisoryId":"PKSA-2rbx-bjdx-4d4d","packageName":"twig\/intl-extra","remoteId":"twig\/intl-extra\/CVE-2026-46629.yaml","title":"Unbounded formatter memoisation in twig\/intl-extra keyed on template-controlled arguments","link":"https:\/\/symfony.com\/cve-2026-46629","cve":"CVE-2026-46629","affectedVersions":"\u003E=2.12.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-35wc-cvqg-78fp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/intl-extra\/CVE-2026-46629.yaml"}]}],"twig\/cssinliner-extra":[{"advisoryId":"PKSA-fs5b-x5k4-1h39","packageName":"twig\/cssinliner-extra","remoteId":"twig\/cssinliner-extra\/CVE-2026-46637.yaml","title":"HTML-output filters in twig\/* extras incorrectly declared `is_safe =\u003E [\u0027all\u0027]`","link":"https:\/\/symfony.com\/cve-2026-46637","cve":"CVE-2026-46637","affectedVersions":"\u003E=2.12.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jv8m-2544-3pg3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/cssinliner-extra\/CVE-2026-46637.yaml"}]}],"setasign\/fpdi":[{"advisoryId":"PKSA-37cw-b473-k9np","packageName":"setasign\/fpdi","remoteId":"GHSA-2mgw-7q6p-8grg","title":"FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service","link":"https:\/\/github.com\/advisories\/GHSA-2mgw-7q6p-8grg","cve":"CVE-2026-45802","affectedVersions":"\u003C2.6.7","source":"GitHub","reportedAt":"2026-05-19 19:56:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2mgw-7q6p-8grg"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-2zy4-bynz-m2w3","packageName":"wwbn\/avideo","remoteId":"GHSA-w4qq-74h6-58wq","title":"AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view\/img\/image404Raw.php`","link":"https:\/\/github.com\/advisories\/GHSA-w4qq-74h6-58wq","cve":"CVE-2026-46337","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-19 16:25:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w4qq-74h6-58wq"}]},{"advisoryId":"PKSA-qsmt-54t8-4cfb","packageName":"wwbn\/avideo","remoteId":"GHSA-3mjv-375j-6h92","title":"AVideo: Authenticated Arbitrary File Read in view\/update.php","link":"https:\/\/github.com\/advisories\/GHSA-3mjv-375j-6h92","cve":"CVE-2026-45731","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-18 19:01:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3mjv-375j-6h92"}]},{"advisoryId":"PKSA-23zk-pg8x-sksb","packageName":"wwbn\/avideo","remoteId":"GHSA-vpfx-pxqw-2w79","title":"AVideo CVE-2026-43881 incomplete fix - `objects\/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`","link":"https:\/\/github.com\/advisories\/GHSA-vpfx-pxqw-2w79","cve":"CVE-2026-45620","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-18 13:30:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vpfx-pxqw-2w79"}]},{"advisoryId":"PKSA-rjrh-w2j8-5qv7","packageName":"wwbn\/avideo","remoteId":"GHSA-xw67-cg5f-4m2r","title":"AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL","link":"https:\/\/github.com\/advisories\/GHSA-xw67-cg5f-4m2r","cve":"CVE-2026-45578","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-15 18:32:36","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xw67-cg5f-4m2r"}]},{"advisoryId":"PKSA-wfgs-zzz2-wqdc","packageName":"wwbn\/avideo","remoteId":"GHSA-m5j4-7r85-2cj2","title":"AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute","link":"https:\/\/github.com\/advisories\/GHSA-m5j4-7r85-2cj2","cve":"CVE-2026-45580","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-15 18:33:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m5j4-7r85-2cj2"}]},{"advisoryId":"PKSA-p6p4-r212-wdgb","packageName":"wwbn\/avideo","remoteId":"GHSA-3mv2-vmwh-rwfx","title":"AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim\u0027s 2FA","link":"https:\/\/github.com\/advisories\/GHSA-3mv2-vmwh-rwfx","cve":"CVE-2026-45610","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-15 18:34:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3mv2-vmwh-rwfx"}]},{"advisoryId":"PKSA-fc5p-jrjx-1jy4","packageName":"wwbn\/avideo","remoteId":"GHSA-c3ch-22rq-xfwr","title":"AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`","link":"https:\/\/github.com\/advisories\/GHSA-c3ch-22rq-xfwr","cve":"CVE-2026-45619","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-15 18:35:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c3ch-22rq-xfwr"}]},{"advisoryId":"PKSA-psg4-6wzm-s4q8","packageName":"wwbn\/avideo","remoteId":"GHSA-qxvm-r42f-5p8j","title":"AVideo\u0027s Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User-\u003Elogin()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin","link":"https:\/\/github.com\/advisories\/GHSA-qxvm-r42f-5p8j","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-15 18:17:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qxvm-r42f-5p8j"}]}],"sulu\/sulu":[{"advisoryId":"PKSA-2mt7-sd38-1xng","packageName":"sulu\/sulu","remoteId":"GHSA-9m6v-8fxc-4r44","title":"Sulu: Used API Keys may be available via Admin API","link":"https:\/\/github.com\/advisories\/GHSA-9m6v-8fxc-4r44","cve":null,"affectedVersions":"\u003C=2.6.22|\u003E=3.0.0-alpha1,\u003C=3.0.5","source":"GitHub","reportedAt":"2026-05-18 17:34:06","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-9m6v-8fxc-4r44"}]},{"advisoryId":"PKSA-psv3-gm5n-8wm5","packageName":"sulu\/sulu","remoteId":"GHSA-7fv8-6pp7-6h85","title":"Sulu: Weak Cryptographical usage for API Key generation and Reset Tokens","link":"https:\/\/github.com\/advisories\/GHSA-7fv8-6pp7-6h85","cve":"CVE-2026-45701","affectedVersions":"\u003C=2.6.22|\u003E=3.0.0-alpha1,\u003C=3.0.5","source":"GitHub","reportedAt":"2026-05-18 17:27:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7fv8-6pp7-6h85"}]}],"librenms\/librenms":[{"advisoryId":"PKSA-g8mh-y1x4-3d27","packageName":"librenms\/librenms","remoteId":"GHSA-5gm9-622f-qcg5","title":"LibreNMS: Cross-Site Scripting in ShowConfigController","link":"https:\/\/github.com\/advisories\/GHSA-5gm9-622f-qcg5","cve":"CVE-2026-2728","affectedVersions":"\u003E=25.12.0,\u003C26.3.0","source":"GitHub","reportedAt":"2026-05-18 17:00:49","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-5gm9-622f-qcg5"}]}],"shopper\/framework":[{"advisoryId":"PKSA-vtqh-k648-prz7","packageName":"shopper\/framework","remoteId":"GHSA-f946-9qp6-vgch","title":"shopper\/framework: Authorization bypass in multiple Livewire admin components","link":"https:\/\/github.com\/advisories\/GHSA-f946-9qp6-vgch","cve":null,"affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-05-18 16:34:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f946-9qp6-vgch"}]}],"shopper\/cart":[{"advisoryId":"PKSA-92pp-1wvt-fk91","packageName":"shopper\/cart","remoteId":"GHSA-9rh9-hf3w-9fgg","title":"shopper\/framework: Race condition on Discount.usage_limit allows silent over-redemption","link":"https:\/\/github.com\/advisories\/GHSA-9rh9-hf3w-9fgg","cve":null,"affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-05-18 16:37:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9rh9-hf3w-9fgg"}]}],"ci4-cms-erp\/ci4ms":[{"advisoryId":"PKSA-x2rt-sj8n-h21z","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-245j-xjvr-xvm5","title":"CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations","link":"https:\/\/github.com\/advisories\/GHSA-245j-xjvr-xvm5","cve":"CVE-2026-45139","affectedVersions":"\u003C=0.31.8.0","source":"GitHub","reportedAt":"2026-05-18 16:21:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-245j-xjvr-xvm5"}]},{"advisoryId":"PKSA-cfx9-7tcq-n157","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-gqr2-7hcg-rchf","title":"CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule","link":"https:\/\/github.com\/advisories\/GHSA-gqr2-7hcg-rchf","cve":"CVE-2026-45270","affectedVersions":"\u003C=0.31.8.0","source":"GitHub","reportedAt":"2026-05-18 16:23:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gqr2-7hcg-rchf"}]},{"advisoryId":"PKSA-7xbg-9dns-gxm5","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-2m69-jmvh-6chr","title":"CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule","link":"https:\/\/github.com\/advisories\/GHSA-2m69-jmvh-6chr","cve":"CVE-2026-45138","affectedVersions":"\u003C=0.31.8.0","source":"GitHub","reportedAt":"2026-05-18 15:39:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2m69-jmvh-6chr"}]}],"statamic\/cms":[{"advisoryId":"PKSA-7fht-jznj-7mgv","packageName":"statamic\/cms","remoteId":"GHSA-pf9c-ch8r-2958","title":"Statamic CMS: Server-Side Request Forgery via Glide","link":"https:\/\/github.com\/advisories\/GHSA-pf9c-ch8r-2958","cve":"CVE-2026-45660","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.18.1|\u003C5.73.22","source":"GitHub","reportedAt":"2026-05-18 15:32:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pf9c-ch8r-2958"}]}],"code16\/sharp":[{"advisoryId":"PKSA-h9kt-ss6k-xq4z","packageName":"code16\/sharp","remoteId":"GHSA-748w-hm6r-qc7v","title":"Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint","link":"https:\/\/github.com\/advisories\/GHSA-748w-hm6r-qc7v","cve":"CVE-2026-44692","affectedVersions":"\u003C9.22.0","source":"GitHub","reportedAt":"2026-05-15 18:01:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-748w-hm6r-qc7v"}]}],"simplesamlphp\/simplesamlphp-module-casserver":[{"advisoryId":"PKSA-4zw8-rhj7-ftzt","packageName":"simplesamlphp\/simplesamlphp-module-casserver","remoteId":"GHSA-jrrg-99xh-5j2q","title":"SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read\/unserialize and conditional deletion","link":"https:\/\/github.com\/advisories\/GHSA-jrrg-99xh-5j2q","cve":"CVE-2026-46491","affectedVersions":"\u003C=7.0.2","source":"GitHub","reportedAt":"2026-05-15 18:07:51","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jrrg-99xh-5j2q"}]},{"advisoryId":"PKSA-5vs1-v1t7-v5tj","packageName":"simplesamlphp\/simplesamlphp-module-casserver","remoteId":"GHSA-cvrm-5hp6-h523","title":"SimpleSAMLphp casserver: Open Redirect in logout","link":"https:\/\/github.com\/advisories\/GHSA-cvrm-5hp6-h523","cve":"CVE-2025-65954","affectedVersions":"\u003C6.3.1|\u003E=7.0.0-rc1,\u003C7.0.0-rc3","source":"GitHub","reportedAt":"2026-05-15 16:21:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cvrm-5hp6-h523"}]}],"nukeviet\/nukeviet":[{"advisoryId":"PKSA-3wj7-33bv-rdwf","packageName":"nukeviet\/nukeviet","remoteId":"GHSA-64rr-pp78-62ww","title":"NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input sanitization in Request class","link":"https:\/\/github.com\/advisories\/GHSA-64rr-pp78-62ww","cve":"CVE-2026-41147","affectedVersions":"\u003C=4.4.01","source":"GitHub","reportedAt":"2026-05-15 16:45:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-64rr-pp78-62ww"}]}],"coreshop\/core-shop":[{"advisoryId":"PKSA-9rch-wbbh-7nr6","packageName":"coreshop\/core-shop","remoteId":"GHSA-q58j-g3f4-h26h","title":"CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration","link":"https:\/\/github.com\/advisories\/GHSA-q58j-g3f4-h26h","cve":"CVE-2026-41249","affectedVersions":"=5.0.0","source":"GitHub","reportedAt":"2026-05-14 13:18:16","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q58j-g3f4-h26h"}]}],"getgrav\/grav":[{"advisoryId":"PKSA-jw9z-qj9h-1drk","packageName":"getgrav\/grav","remoteId":"GHSA-j274-39qw-32c9","title":"Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()","link":"https:\/\/github.com\/advisories\/GHSA-j274-39qw-32c9","cve":"CVE-2026-44738","affectedVersions":"\u003C=2.0.0-rc.1","source":"GitHub","reportedAt":"2026-05-13 15:29:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j274-39qw-32c9"}]},{"advisoryId":"PKSA-pfs8-6ghq-nzcr","packageName":"getgrav\/grav","remoteId":"GHSA-fmg2-f5r9-24qc","title":"Grav: Stored XSS via page title (data[header][title]) in admin panel","link":"https:\/\/github.com\/advisories\/GHSA-fmg2-f5r9-24qc","cve":"CVE-2026-44737","affectedVersions":"\u003C1.7.49.5","source":"GitHub","reportedAt":"2026-05-08 19:38:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fmg2-f5r9-24qc"}]},{"advisoryId":"PKSA-t2z1-v63n-9cpk","packageName":"getgrav\/grav","remoteId":"GHSA-gwfr-jfjf-92vv","title":"Grav has Insecure Deserialization in File Cache","link":"https:\/\/github.com\/advisories\/GHSA-gwfr-jfjf-92vv","cve":"CVE-2026-7317","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:29:29","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-gwfr-jfjf-92vv"}]}],"composer\/composer":[{"advisoryId":"PKSA-pwvr-3754-v57r","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2026-45793.yaml","title":"Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs","link":"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-f9f8-rm49-7jv2","cve":"CVE-2026-45793","affectedVersions":"\u003E=2.3,\u003C2.9.8|\u003E=2.0.0,\u003C2.2.28|\u003E=1.0,\u003C1.10.28","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-13 07:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2026-45793.yaml"},{"name":"GitHub","remoteId":"GHSA-f9f8-rm49-7jv2"}]}],"krayin\/laravel-crm":[{"advisoryId":"PKSA-bfyk-wk4r-cjz9","packageName":"krayin\/laravel-crm","remoteId":"GHSA-j822-46r5-h4qx","title":"Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the \/admin\/activities\/create endpoint","link":"https:\/\/github.com\/advisories\/GHSA-j822-46r5-h4qx","cve":"CVE-2026-36341","affectedVersions":"=2.1.5","source":"GitHub","reportedAt":"2026-05-07 18:30:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j822-46r5-h4qx"}]},{"advisoryId":"PKSA-vkyr-b96k-z2ks","packageName":"krayin\/laravel-crm","remoteId":"GHSA-32px-ccfx-cxq3","title":"Krayin CRM allows a remote attacker to execute arbitrary code via compose email function","link":"https:\/\/github.com\/advisories\/GHSA-32px-ccfx-cxq3","cve":"CVE-2026-36340","affectedVersions":"=2.1.5","source":"GitHub","reportedAt":"2026-04-30 18:30:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-32px-ccfx-cxq3"}]}],"mantisbt\/mantisbt":[{"advisoryId":"PKSA-x2q4-xdvd-5bhg","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-7mqj-8gj2-cg59","title":"MantisBT has Stored XSS on Move Attachments Admin Page","link":"https:\/\/github.com\/advisories\/GHSA-7mqj-8gj2-cg59","cve":"CVE-2026-44655","affectedVersions":"\u003E=1.3.0,\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:40:29","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7mqj-8gj2-cg59"}]},{"advisoryId":"PKSA-2yw5-k1t7-1bg1","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-p6fr-rxq7-xcg8","title":"MantisBT Vulnerable to Stored XSS in File Download","link":"https:\/\/github.com\/advisories\/GHSA-p6fr-rxq7-xcg8","cve":"CVE-2026-44657","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:40:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p6fr-rxq7-xcg8"}]},{"advisoryId":"PKSA-9b5m-7bg5-xjqr","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-frf7-jhp9-jxm6","title":"MantisBT Vulnerable to Privilege Escalation from Manager to Administrator","link":"https:\/\/github.com\/advisories\/GHSA-frf7-jhp9-jxm6","cve":"CVE-2026-34390","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:32:06","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-frf7-jhp9-jxm6"}]},{"advisoryId":"PKSA-fybf-x73k-s1x5","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-fvjf-68wh-rwp2","title":"MantisBT is Vulnerable to Stored HTML Injection\/XSS in Clone Issue Form","link":"https:\/\/github.com\/advisories\/GHSA-fvjf-68wh-rwp2","cve":"CVE-2026-34463","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:32:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fvjf-68wh-rwp2"}]},{"advisoryId":"PKSA-wqq3-5hnc-g52v","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-ggw7-9675-6v4v","title":"MantisBT has an authorization bypass in private issue monitoring","link":"https:\/\/github.com\/advisories\/GHSA-ggw7-9675-6v4v","cve":"CVE-2026-34579","affectedVersions":"\u003E=2.26.1,\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:32:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-ggw7-9675-6v4v"}]},{"advisoryId":"PKSA-mqx4-yq62-zbx3","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-rmp5-5jj7-gmvf","title":"MantisBT has an authorization bypass that allows reading attachments after losing access to a private issue","link":"https:\/\/github.com\/advisories\/GHSA-rmp5-5jj7-gmvf","cve":"CVE-2026-34744","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:32:36","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rmp5-5jj7-gmvf"}]},{"advisoryId":"PKSA-vg9w-dq6n-8d9w","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-h4x5-gvx6-3rwc","title":"MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API","link":"https:\/\/github.com\/advisories\/GHSA-h4x5-gvx6-3rwc","cve":"CVE-2026-34754","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:33:06","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h4x5-gvx6-3rwc"}]},{"advisoryId":"PKSA-r5kj-njzm-rsnd","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-crmx-4p49-46m2","title":"MantisBT: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked","link":"https:\/\/github.com\/advisories\/GHSA-crmx-4p49-46m2","cve":"CVE-2026-34970","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:33:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-crmx-4p49-46m2"}]},{"advisoryId":"PKSA-vqsr-dxg3-8yzy","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-qj6w-v29q-4rgx","title":"MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values","link":"https:\/\/github.com\/advisories\/GHSA-qj6w-v29q-4rgx","cve":"CVE-2026-39960","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:34:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qj6w-v29q-4rgx"}]},{"advisoryId":"PKSA-gt1y-4mwq-1fky","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-j3v9-553h-x28j","title":"MantisBT is Vulnerable to XSS leading to account takeover via updating a user\u0027s font family preference","link":"https:\/\/github.com\/advisories\/GHSA-j3v9-553h-x28j","cve":"CVE-2026-40596","affectedVersions":"\u003E=2.11.0,\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:34:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j3v9-553h-x28j"}]},{"advisoryId":"PKSA-vmj5-ycv9-cm2v","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-9c3j-xm6v-j7j3","title":"MantisBT has a Content Security Policy bypass via attachments","link":"https:\/\/github.com\/advisories\/GHSA-9c3j-xm6v-j7j3","cve":"CVE-2026-40597","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:34:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9c3j-xm6v-j7j3"}]},{"advisoryId":"PKSA-gycx-g1kn-1tnd","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-6jh4-47v2-4g37","title":"MantisBT has Potential Referer-Based Reflected HTML Injection \/ XSS in Tag Update Page","link":"https:\/\/github.com\/advisories\/GHSA-6jh4-47v2-4g37","cve":"CVE-2026-40598","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:35:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6jh4-47v2-4g37"}]},{"advisoryId":"PKSA-j9zz-q8wb-jgsg","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-f633-865q-2mhh","title":"MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column","link":"https:\/\/github.com\/advisories\/GHSA-f633-865q-2mhh","cve":"CVE-2026-40607","affectedVersions":"\u003E=2.1.0,\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:35:05","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f633-865q-2mhh"}]},{"advisoryId":"PKSA-p4dp-frh9-2khv","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-j7v9-f46r-2rp4","title":"MantisBT is Vulnerable to Reflected XSS in Rendering Dynamic Custom Textarea Field","link":"https:\/\/github.com\/advisories\/GHSA-j7v9-f46r-2rp4","cve":"CVE-2026-41897","affectedVersions":"\u003E=1.0.0,\u003C2.28.2","source":"GitHub","reportedAt":"2026-05-11 19:39:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j7v9-f46r-2rp4"}]},{"advisoryId":"PKSA-67ww-bjf6-fqgz","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-pq86-j2c2-47f6","title":"MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API","link":"https:\/\/github.com\/advisories\/GHSA-pq86-j2c2-47f6","cve":"CVE-2026-42070","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:39:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pq86-j2c2-47f6"}]},{"advisoryId":"PKSA-d3fh-4w7k-rvy1","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-pw5x-2mf9-3xc8","title":"MantisBT has a Private Bugnote Attachment Content Leak via REST API","link":"https:\/\/github.com\/advisories\/GHSA-pw5x-2mf9-3xc8","cve":"CVE-2026-42071","affectedVersions":"\u003E=2.23.0,\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:39:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pw5x-2mf9-3xc8"}]},{"advisoryId":"PKSA-7hdg-8xc6-bhnt","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-68w5-w573-q2r8","title":"MantisBT Has Authorization Bypass in Global Profile Creation","link":"https:\/\/github.com\/advisories\/GHSA-68w5-w573-q2r8","cve":"CVE-2026-33052","affectedVersions":"\u003E=2.28.0,\u003C2.28.2","source":"GitHub","reportedAt":"2026-05-11 17:58:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-68w5-w573-q2r8"}]}],"yiisoft\/yii2":[{"advisoryId":"PKSA-mxtc-f5ct-dqqd","packageName":"yiisoft\/yii2","remoteId":"GHSA-5vpg-rj7q-qpw2","title":"Yii 2: Local file inclusion via view parameter name collision","link":"https:\/\/github.com\/advisories\/GHSA-5vpg-rj7q-qpw2","cve":"CVE-2026-39850","affectedVersions":"\u003C2.0.55","source":"GitHub","reportedAt":"2026-05-11 19:34:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5vpg-rj7q-qpw2"}]}],"torrentpier\/torrentpier":[{"advisoryId":"PKSA-yfmp-ydrw-v24w","packageName":"torrentpier\/torrentpier","remoteId":"GHSA-h29g-c9cx-c73q","title":"torrentpier has PHP Serialize Injections","link":"https:\/\/github.com\/advisories\/GHSA-h29g-c9cx-c73q","cve":null,"affectedVersions":"\u003C=2.4.3","source":"GitHub","reportedAt":"2026-05-11 17:53:20","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-h29g-c9cx-c73q"}]}],"dolibarr\/dolibarr":[{"advisoryId":"PKSA-zbps-xm91-whkn","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-rvwr-q5hj-wq7g","title":"Dolibarr has an Injection issue","link":"https:\/\/github.com\/advisories\/GHSA-rvwr-q5hj-wq7g","cve":"CVE-2026-7688","affectedVersions":"\u003C=23.0.2","source":"GitHub","reportedAt":"2026-05-03 12:30:26","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rvwr-q5hj-wq7g"}]},{"advisoryId":"PKSA-dxkr-sbbp-889v","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-jggh-5rmh-r6h5","title":"Dolibarr has Insufficient Verification of Data Authenticity ","link":"https:\/\/github.com\/advisories\/GHSA-jggh-5rmh-r6h5","cve":"CVE-2026-7689","affectedVersions":"\u003C=15.0.3","source":"GitHub","reportedAt":"2026-05-03 12:30:26","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jggh-5rmh-r6h5"}]}],"studio-42\/elfinder":[{"advisoryId":"PKSA-42xd-jnjn-nrty","packageName":"studio-42\/elfinder","remoteId":"GHSA-c3gj-q88f-7hqj","title":"elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)","link":"https:\/\/github.com\/advisories\/GHSA-c3gj-q88f-7hqj","cve":"CVE-2026-44521","affectedVersions":"\u003C=2.1.67","source":"GitHub","reportedAt":"2026-05-11 16:11:31","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c3gj-q88f-7hqj"}]}],"snipe\/snipe-it":[{"advisoryId":"PKSA-rnj3-1mvy-45m9","packageName":"snipe\/snipe-it","remoteId":"GHSA-mghp-5cq4-v6mg","title":"Snipe-IT has an open redirect vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-mghp-5cq4-v6mg","cve":"CVE-2026-44833","affectedVersions":"\u003C8.4.1","source":"GitHub","reportedAt":"2026-05-08 23:25:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mghp-5cq4-v6mg"}]},{"advisoryId":"PKSA-p5z5-yvbr-44mr","packageName":"snipe\/snipe-it","remoteId":"GHSA-xg82-2hrv-hf64","title":"Snipe-IT has insecure permissions in file uploads","link":"https:\/\/github.com\/advisories\/GHSA-xg82-2hrv-hf64","cve":"CVE-2026-37709","affectedVersions":"\u003C8.4.1","source":"GitHub","reportedAt":"2026-05-08 23:04:36","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-xg82-2hrv-hf64"}]},{"advisoryId":"PKSA-t5t8-ptsk-b8c5","packageName":"snipe\/snipe-it","remoteId":"GHSA-r42m-953q-6vjx","title":"Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)","link":"https:\/\/github.com\/advisories\/GHSA-r42m-953q-6vjx","cve":"CVE-2026-44831","affectedVersions":"\u003C8.4.1","source":"GitHub","reportedAt":"2026-05-08 22:23:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r42m-953q-6vjx"}]},{"advisoryId":"PKSA-3w8f-xykp-s5ps","packageName":"snipe\/snipe-it","remoteId":"GHSA-hq28-crg7-95pr","title":"Snipe-IT has Privilege Escalation via API Permissions Assignment","link":"https:\/\/github.com\/advisories\/GHSA-hq28-crg7-95pr","cve":"CVE-2026-44832","affectedVersions":"\u003C8.4.1","source":"GitHub","reportedAt":"2026-05-08 22:24:45","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hq28-crg7-95pr"}]}],"kimai\/kimai":[{"advisoryId":"PKSA-hzjv-c975-xrgc","packageName":"kimai\/kimai","remoteId":"GHSA-h5fh-7hwr-97mw","title":"Kimai has an arbitrary file read in its invoice PDF renderer (admin)","link":"https:\/\/github.com\/advisories\/GHSA-h5fh-7hwr-97mw","cve":"CVE-2026-44298","affectedVersions":"\u003E=2.32.0,\u003C=2.55","source":"GitHub","reportedAt":"2026-05-08 22:22:36","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5fh-7hwr-97mw"}]}],"devcode-it\/openstamanager":[{"advisoryId":"PKSA-4d6v-4cnw-287h","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-rm34-fg4m-39mw","title":"OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality ","link":"https:\/\/github.com\/advisories\/GHSA-rm34-fg4m-39mw","cve":"CVE-2026-38751","affectedVersions":"\u003C=2.10-beta","source":"GitHub","reportedAt":"2026-05-04 21:30:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rm34-fg4m-39mw"}]}],"prestashop\/prestashop":[{"advisoryId":"PKSA-f9zy-1yrp-415w","packageName":"prestashop\/prestashop","remoteId":"GHSA-w9f3-qc75-qgx9","title":"PrestaShop has a stored XSS executable in customer service view","link":"https:\/\/github.com\/advisories\/GHSA-w9f3-qc75-qgx9","cve":"CVE-2026-44212","affectedVersions":"\u003E=9.0.0,\u003C9.1.1|\u003C8.2.6","source":"GitHub","reportedAt":"2026-05-08 16:54:22","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-w9f3-qc75-qgx9"}]}],"funadmin\/funadmin":[{"advisoryId":"PKSA-1r81-6z2f-xhbh","packageName":"funadmin\/funadmin","remoteId":"GHSA-qhh7-263p-54r3","title":"Funadmin has an Improper Access Control Issue","link":"https:\/\/github.com\/advisories\/GHSA-qhh7-263p-54r3","cve":"CVE-2026-7733","affectedVersions":"\u003C=7.1.0-rc6","source":"GitHub","reportedAt":"2026-05-04 06:32:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qhh7-263p-54r3"}]}],"web-auth\/webauthn-framework":[{"advisoryId":"PKSA-3b1p-96n1-3rfh","packageName":"web-auth\/webauthn-framework","remoteId":"GHSA-h4fw-6r7f-w494","title":"Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy","link":"https:\/\/github.com\/advisories\/GHSA-h4fw-6r7f-w494","cve":null,"affectedVersions":"\u003E=5.3.0,\u003C5.3.1","source":"GitHub","reportedAt":"2026-05-07 21:05:33","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-h4fw-6r7f-w494"}]}],"facturascripts\/facturascripts":[{"advisoryId":"PKSA-jz8v-9c91-p1x8","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-vrxf-vrc4-22p7","title":"FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-vrxf-vrc4-22p7","cve":"CVE-2026-42878","affectedVersions":"\u003E=2026,\u003C=2026.1","source":"GitHub","reportedAt":"2026-05-07 19:43:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vrxf-vrc4-22p7"}]},{"advisoryId":"PKSA-rs14-58cq-g5jg","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-vf3q-frmr-vrr9","title":"FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images","link":"https:\/\/github.com\/advisories\/GHSA-vf3q-frmr-vrr9","cve":"CVE-2026-42879","affectedVersions":"\u003C=2025.81","source":"GitHub","reportedAt":"2026-05-07 19:49:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vf3q-frmr-vrr9"}]},{"advisoryId":"PKSA-xfzw-dtp7-gwj8","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-3pgc-xqg9-cfr6","title":"FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism","link":"https:\/\/github.com\/advisories\/GHSA-3pgc-xqg9-cfr6","cve":"CVE-2026-27891","affectedVersions":"\u003C=2025.71","source":"GitHub","reportedAt":"2026-05-07 19:32:14","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3pgc-xqg9-cfr6"}]},{"advisoryId":"PKSA-zck8-p11k-g1qj","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-q7f2-rv22-2xgr","title":"FacturaScripts Vulnerable to Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload\/Download","link":"https:\/\/github.com\/advisories\/GHSA-q7f2-rv22-2xgr","cve":"CVE-2026-27892","affectedVersions":"\u003C=2025.81","source":"GitHub","reportedAt":"2026-05-07 19:33:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q7f2-rv22-2xgr"}]},{"advisoryId":"PKSA-qm4y-jdfc-4pmf","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-gq5c-rw37-g46c","title":"FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation","link":"https:\/\/github.com\/advisories\/GHSA-gq5c-rw37-g46c","cve":"CVE-2026-27964","affectedVersions":"\u003C=2025.71","source":"GitHub","reportedAt":"2026-05-07 19:34:28","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-gq5c-rw37-g46c"}]},{"advisoryId":"PKSA-1ktk-zddg-2f2s","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-r736-2678-fcrx","title":"FacturaScripts vulnerable to stored XSS via product reference in sales\/purchases","link":"https:\/\/github.com\/advisories\/GHSA-r736-2678-fcrx","cve":"CVE-2026-42877","affectedVersions":"\u003C=2025.92","source":"GitHub","reportedAt":"2026-05-07 19:37:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r736-2678-fcrx"}]}],"mix\/mix":[{"advisoryId":"PKSA-vrn6-t5ym-qs6h","packageName":"mix\/mix","remoteId":"GHSA-vf35-8m4j-gm8v","title":"MixPHP Framework has an SQL injection vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-vf35-8m4j-gm8v","cve":"CVE-2026-42475","affectedVersions":"\u003E=2.0.0,\u003C=2.2.17","source":"GitHub","reportedAt":"2026-05-01 18:31:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vf35-8m4j-gm8v"}]},{"advisoryId":"PKSA-rnvq-qnrp-k5ms","packageName":"mix\/mix","remoteId":"GHSA-q57j-rwwx-7rwp","title":"MixPHP Framework has an SQL injection vulnerability via crafted `data` array","link":"https:\/\/github.com\/advisories\/GHSA-q57j-rwwx-7rwp","cve":"CVE-2026-42474","affectedVersions":"\u003E=2.0.0,\u003C=2.2.17","source":"GitHub","reportedAt":"2026-05-01 18:31:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q57j-rwwx-7rwp"}]}],"intercom\/intercom-php":[{"advisoryId":"PKSA-gwt3-5dgf-97fx","packageName":"intercom\/intercom-php","remoteId":"GHSA-gr3r-crp5-qrrm","title":"Compromised tag of intercom-php published via GitHub","link":"https:\/\/github.com\/advisories\/GHSA-gr3r-crp5-qrrm","cve":null,"affectedVersions":"=5.0.2","source":"GitHub","reportedAt":"2026-05-07 16:48:41","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gr3r-crp5-qrrm"}]}],"getgrav\/grav-plugin-form":[{"advisoryId":"PKSA-t8zh-nz62-2js9","packageName":"getgrav\/grav-plugin-form","remoteId":"GHSA-w4rc-p66m-x6qq","title":"Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override","link":"https:\/\/github.com\/advisories\/GHSA-w4rc-p66m-x6qq","cve":"CVE-2026-42845","affectedVersions":"\u003C9.1.0","source":"GitHub","reportedAt":"2026-05-06 23:03:13","composerRepository":null,"severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w4rc-p66m-x6qq"}]}],"phpseclib\/phpseclib":[{"advisoryId":"PKSA-smrh-yx37-92ws","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-3qpq-r242-jqj7","title":"phpseclib has a CVE-2024-27355 mitigation bypass \u2014 OID amplification DoS in ASN1::decodeOID()","link":"https:\/\/github.com\/advisories\/GHSA-3qpq-r242-jqj7","cve":"CVE-2026-44167","affectedVersions":"\u003E=0.1.1,\u003C=1.0.28|\u003E=3.0.0,\u003C=3.0.51|\u003E=2.0.0,\u003C=2.0.53","source":"GitHub","reportedAt":"2026-05-05 21:17:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3qpq-r242-jqj7"}]},{"advisoryId":"PKSA-zh4j-by9m-7mz8","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-r854-jrxh-36qx","title":"phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()","link":"https:\/\/github.com\/advisories\/GHSA-r854-jrxh-36qx","cve":"CVE-2026-40194","affectedVersions":"\u003E=0.1.1,\u003C1.0.28|\u003E=3.0.0,\u003C3.0.51|\u003E=2.0.0,\u003C2.0.53","source":"GitHub","reportedAt":"2026-04-10 20:58:10","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-r854-jrxh-36qx"}]},{"advisoryId":"PKSA-km2b-zc3b-mjm3","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-94g3-g5v7-q4jg","title":"phpseclib\u0027s AES-CBC unpadding susceptible to padding oracle timing attack","link":"https:\/\/github.com\/advisories\/GHSA-94g3-g5v7-q4jg","cve":"CVE-2026-32935","affectedVersions":"\u003E=0.1.1,\u003C=1.0.26|\u003E=2.0.0,\u003C=2.0.51|\u003E=3.0.0,\u003C=3.0.49","source":"GitHub","reportedAt":"2026-03-19 16:42:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-94g3-g5v7-q4jg"}]}],"phpoffice\/phpspreadsheet":[{"advisoryId":"PKSA-8cfg-tzhf-fr83","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-q4q6-r8wh-5cgh","title":"PhpSpreadsheet has SSRF\/RCE in IOFactory::load when $filename is user controlled","link":"https:\/\/github.com\/advisories\/GHSA-q4q6-r8wh-5cgh","cve":"CVE-2026-34084","affectedVersions":"\u003C=1.30.2|\u003E=2.0.0,\u003C=2.1.14|\u003E=2.2.0,\u003C=2.4.3|\u003E=3.3.0,\u003C=3.10.3|\u003E=4.0.0,\u003C=5.5.0","source":"GitHub","reportedAt":"2026-04-29 20:22:30","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-q4q6-r8wh-5cgh"}]}]}}