{"advisories":{"georgringer\/news":[{"advisoryId":"PKSA-grgc-xpj3-tvw1","packageName":"georgringer\/news","remoteId":"georgringer\/news\/CVE-2026-8726.yaml","title":"SQL Injection in extension \u0022News system\u0022 (news)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-010","cve":"CVE-2026-8726","affectedVersions":"\u003C11.4.4|\u003E=12.0.0,\u003C12.3.2|\u003E=13.0.0,\u003C13.0.2|\u003E=14.0.0,\u003C14.0.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 12:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"georgringer\/news\/CVE-2026-8726.yaml"}]}],"laktak\/hjson":[{"advisoryId":"PKSA-fmxt-7v2r-bbsn","packageName":"laktak\/hjson","remoteId":"GHSA-5wfc-hjrc-gq87","title":"hjson stack exhaustion vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-5wfc-hjrc-gq87","cve":"CVE-2023-34620","affectedVersions":"\u003C2.3.0","source":"GitHub","reportedAt":"2023-06-14 15:30:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5wfc-hjrc-gq87"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-64xv-jbdm-pg2q","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9qv9-8xv6-5p35","title":"phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation","link":"https:\/\/github.com\/advisories\/GHSA-9qv9-8xv6-5p35","cve":null,"affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:45:53","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9qv9-8xv6-5p35"}]},{"advisoryId":"PKSA-ttcw-fg74-jv2w","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-xvp4-phqj-cjr3","title":"phpMyFAQ: IDOR Account Takeover ","link":"https:\/\/github.com\/advisories\/GHSA-xvp4-phqj-cjr3","cve":null,"affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xvp4-phqj-cjr3"}]},{"advisoryId":"PKSA-jk8b-rmby-gztg","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gp95-j463-vv28","title":"phpMyFAQ: Default Empty API Token Authentication Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gp95-j463-vv28","cve":null,"affectedVersions":"\u003C=4.1.2","source":"GitHub","reportedAt":"2026-05-20 15:46:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gp95-j463-vv28"}]},{"advisoryId":"PKSA-x1b3-f9q9-1brm","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-w9xh-5f39-vq89","title":"phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username\/Email Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-w9xh-5f39-vq89","cve":null,"affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w9xh-5f39-vq89"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-1ckg-7bmf-xkmp","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9qv9-8xv6-5p35","title":"phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation","link":"https:\/\/github.com\/advisories\/GHSA-9qv9-8xv6-5p35","cve":null,"affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:45:53","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9qv9-8xv6-5p35"}]},{"advisoryId":"PKSA-vdjw-v652-d3d9","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-xvp4-phqj-cjr3","title":"phpMyFAQ: IDOR Account Takeover ","link":"https:\/\/github.com\/advisories\/GHSA-xvp4-phqj-cjr3","cve":null,"affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xvp4-phqj-cjr3"}]},{"advisoryId":"PKSA-xr26-9czp-vbgk","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-gp95-j463-vv28","title":"phpMyFAQ: Default Empty API Token Authentication Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gp95-j463-vv28","cve":null,"affectedVersions":"\u003C=4.1.2","source":"GitHub","reportedAt":"2026-05-20 15:46:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gp95-j463-vv28"}]},{"advisoryId":"PKSA-527c-n963-c1j5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-w9xh-5f39-vq89","title":"phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username\/Email Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-w9xh-5f39-vq89","cve":null,"affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w9xh-5f39-vq89"}]}],"symfony\/mailtrap-mailer":[{"advisoryId":"PKSA-n517-312t-6vqg","packageName":"symfony\/mailtrap-mailer","remoteId":"symfony\/mailtrap-mailer\/CVE-2026-45755.yaml","title":"CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45755","cve":"CVE-2026-45755","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailtrap-mailer\/CVE-2026-45755.yaml"}]}],"symfony\/lox24-notifier":[{"advisoryId":"PKSA-675k-fhbn-1yh5","packageName":"symfony\/lox24-notifier","remoteId":"symfony\/lox24-notifier\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/lox24-notifier\/CVE-2026-45754.yaml"}]}],"symfony\/mailjet-mailer":[{"advisoryId":"PKSA-swxr-w76k-fd2b","packageName":"symfony\/mailjet-mailer","remoteId":"symfony\/mailjet-mailer\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailjet-mailer\/CVE-2026-45754.yaml"}]}],"symfony\/symfony":[{"advisoryId":"PKSA-2zh8-n335-x575","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45304.yaml","title":"CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion (\u0022Billion Laughs\u0022)","link":"https:\/\/symfony.com\/cve-2026-45304","cve":"CVE-2026-45304","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45304.yaml"}]},{"advisoryId":"PKSA-9sj3-tcvg-s7g4","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45068.yaml","title":"CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address","link":"https:\/\/symfony.com\/cve-2026-45068","cve":"CVE-2026-45068","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45068.yaml"}]},{"advisoryId":"PKSA-qgpb-b2wz-rty6","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45070.yaml","title":"CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names","link":"https:\/\/symfony.com\/cve-2026-45070","cve":"CVE-2026-45070","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45070.yaml"}]},{"advisoryId":"PKSA-j6yc-z95h-xyjq","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45305.yaml","title":"CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex","link":"https:\/\/symfony.com\/cve-2026-45305","cve":"CVE-2026-45305","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45305.yaml"}]},{"advisoryId":"PKSA-kp1y-8sfh-4r87","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45753.yaml","title":"CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action\/formaction\/poster\/cite: javascript: URI Survives Sanitization (XSS)","link":"https:\/\/symfony.com\/cve-2026-45753","cve":"CVE-2026-45753","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45753.yaml"}]},{"advisoryId":"PKSA-9ss4-yr44-h3bt","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45071.yaml","title":"CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true","link":"https:\/\/symfony.com\/cve-2026-45071","cve":"CVE-2026-45071","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45071.yaml"}]},{"advisoryId":"PKSA-3ds8-wrg2-pjdq","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45754.yaml"}]},{"advisoryId":"PKSA-rgzg-p3v4-grbh","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-47212.yaml","title":"CVE-2026-47212: Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-47212","cve":"CVE-2026-47212","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-47212.yaml"}]},{"advisoryId":"PKSA-94ry-294g-7bbc","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45756.yaml","title":"CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()\/search() Without Limits: ReDoS","link":"https:\/\/symfony.com\/cve-2026-45756","cve":"CVE-2026-45756","affectedVersions":"\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45756.yaml"}]},{"advisoryId":"PKSA-13hy-qbkf-1ty7","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45077.yaml","title":"CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener","link":"https:\/\/symfony.com\/cve-2026-45077","cve":"CVE-2026-45077","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45077.yaml"}]},{"advisoryId":"PKSA-7tp5-63ss-rycr","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45069.yaml","title":"CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud\/iss\/exp Claims","link":"https:\/\/symfony.com\/cve-2026-45069","cve":"CVE-2026-45069","affectedVersions":"\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45069.yaml"}]},{"advisoryId":"PKSA-29h7-kzb3-pdfy","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45073.yaml","title":"CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix","link":"https:\/\/symfony.com\/cve-2026-45073","cve":"CVE-2026-45073","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45073.yaml"}]},{"advisoryId":"PKSA-vty3-cvqg-rtn4","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45066.yaml","title":"CVE-2026-45066: HtmlSanitizer allowLinkHosts() \/ allowMediaHosts() Bypass via URL-Parser Differentials and \u003Carea\u003E Misclassification","link":"https:\/\/symfony.com\/cve-2026-45066","cve":"CVE-2026-45066","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45066.yaml"}]},{"advisoryId":"PKSA-t5z9-jvfg-zqhb","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45064.yaml","title":"CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters \u2192 Visual href Spoofing","link":"https:\/\/symfony.com\/cve-2026-45064","cve":"CVE-2026-45064","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45064.yaml"}]},{"advisoryId":"PKSA-1jhn-nv8n-vjk2","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45755.yaml","title":"CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45755","cve":"CVE-2026-45755","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45755.yaml"}]},{"advisoryId":"PKSA-wyg9-y12c-3kdv","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45063.yaml","title":"CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator","link":"https:\/\/symfony.com\/cve-2026-45063","cve":"CVE-2026-45063","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45063.yaml"}]},{"advisoryId":"PKSA-3f27-q682-kfn9","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45065.yaml","title":"CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation \u2192 Off-Site \/\/host URL Injection","link":"https:\/\/symfony.com\/cve-2026-45065","cve":"CVE-2026-45065","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45065.yaml"}]},{"advisoryId":"PKSA-92n4-ftnd-xj82","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-46626.yaml","title":"CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV\/APP_DEBUG via parse_str\/SAPI Argv Mismatch","link":"https:\/\/symfony.com\/cve-2026-46626","cve":"CVE-2026-46626","affectedVersions":"\u003E=5.4.46,\u003C5.4.52|\u003E=6.4.14,\u003C6.4.40|\u003E=7.1.7,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-46626.yaml"}]},{"advisoryId":"PKSA-z2fd-3m4y-rrss","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45067.yaml","title":"CVE-2026-45067: Email Header \/ SMTP Command Injection via CRLF in Symfony\\Component\\Mime\\Address","link":"https:\/\/symfony.com\/cve-2026-45067","cve":"CVE-2026-45067","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45067.yaml"}]},{"advisoryId":"PKSA-mbth-mcd4-2tr8","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45074.yaml","title":"CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header \u2192 Cross-Service Ticket Replay","link":"https:\/\/symfony.com\/cve-2026-45074","cve":"CVE-2026-45074","affectedVersions":"\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45074.yaml"}]},{"advisoryId":"PKSA-wps4-zyhx-xws4","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45133.yaml","title":"CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings","link":"https:\/\/symfony.com\/cve-2026-45133","cve":"CVE-2026-45133","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45133.yaml"}]},{"advisoryId":"PKSA-smg5-pq2q-kjkh","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45072.yaml","title":"CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering","link":"https:\/\/symfony.com\/cve-2026-45072","cve":"CVE-2026-45072","affectedVersions":"\u003E=6.4.24,\u003C6.4.40|\u003E=7.2.9,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45072.yaml"}]},{"advisoryId":"PKSA-xxm6-3p32-rqz7","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45075.yaml"}]}],"symfony\/yaml":[{"advisoryId":"PKSA-v5yj-8nmz-sk2q","packageName":"symfony\/yaml","remoteId":"symfony\/yaml\/CVE-2026-45304.yaml","title":"CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion (\u0022Billion Laughs\u0022)","link":"https:\/\/symfony.com\/cve-2026-45304","cve":"CVE-2026-45304","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/yaml\/CVE-2026-45304.yaml"}]},{"advisoryId":"PKSA-ft77-7h5f-p3r6","packageName":"symfony\/yaml","remoteId":"symfony\/yaml\/CVE-2026-45305.yaml","title":"CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex","link":"https:\/\/symfony.com\/cve-2026-45305","cve":"CVE-2026-45305","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/yaml\/CVE-2026-45305.yaml"}]},{"advisoryId":"PKSA-b14r-zh1d-vdrc","packageName":"symfony\/yaml","remoteId":"symfony\/yaml\/CVE-2026-45133.yaml","title":"CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings","link":"https:\/\/symfony.com\/cve-2026-45133","cve":"CVE-2026-45133","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/yaml\/CVE-2026-45133.yaml"}]}],"symfony\/mime":[{"advisoryId":"PKSA-wtxr-p26d-nn42","packageName":"symfony\/mime","remoteId":"symfony\/mime\/CVE-2026-45070.yaml","title":"CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names","link":"https:\/\/symfony.com\/cve-2026-45070","cve":"CVE-2026-45070","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mime\/CVE-2026-45070.yaml"}]},{"advisoryId":"PKSA-2n2k-66v2-bwg3","packageName":"symfony\/mime","remoteId":"symfony\/mime\/CVE-2026-45067.yaml","title":"CVE-2026-45067: Email Header \/ SMTP Command Injection via CRLF in Symfony\\Component\\Mime\\Address","link":"https:\/\/symfony.com\/cve-2026-45067","cve":"CVE-2026-45067","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mime\/CVE-2026-45067.yaml"}]}],"symfony\/security-http":[{"advisoryId":"PKSA-jzjr-4n2h-knvd","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45069.yaml","title":"CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud\/iss\/exp Claims","link":"https:\/\/symfony.com\/cve-2026-45069","cve":"CVE-2026-45069","affectedVersions":"\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45069.yaml"}]},{"advisoryId":"PKSA-tbsf-h7vc-j7hn","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45063.yaml","title":"CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator","link":"https:\/\/symfony.com\/cve-2026-45063","cve":"CVE-2026-45063","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45063.yaml"}]},{"advisoryId":"PKSA-5df2-zpfk-xgsv","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45074.yaml","title":"CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header \u2192 Cross-Service Ticket Replay","link":"https:\/\/symfony.com\/cve-2026-45074","cve":"CVE-2026-45074","affectedVersions":"\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45074.yaml"}]},{"advisoryId":"PKSA-4tmc-tz3m-9xpb","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45075.yaml"}]}],"symfony\/http-kernel":[{"advisoryId":"PKSA-dw7n-x7f5-zf63","packageName":"symfony\/http-kernel","remoteId":"symfony\/http-kernel\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-kernel\/CVE-2026-45075.yaml"}]}],"symfony\/monolog-bridge":[{"advisoryId":"PKSA-4wjj-gy1p-ft3r","packageName":"symfony\/monolog-bridge","remoteId":"symfony\/monolog-bridge\/CVE-2026-45077.yaml","title":"CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener","link":"https:\/\/symfony.com\/cve-2026-45077","cve":"CVE-2026-45077","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/monolog-bridge\/CVE-2026-45077.yaml"}]}],"symfony\/twilio-notifier":[{"advisoryId":"PKSA-fgw6-3k5j-cfkn","packageName":"symfony\/twilio-notifier","remoteId":"symfony\/twilio-notifier\/CVE-2026-47212.yaml","title":"CVE-2026-47212: Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-47212","cve":"CVE-2026-47212","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/twilio-notifier\/CVE-2026-47212.yaml"}]}],"symfony\/routing":[{"advisoryId":"PKSA-yc7t-91v9-99xs","packageName":"symfony\/routing","remoteId":"symfony\/routing\/CVE-2026-45065.yaml","title":"CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation \u2192 Off-Site \/\/host URL Injection","link":"https:\/\/symfony.com\/cve-2026-45065","cve":"CVE-2026-45065","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/routing\/CVE-2026-45065.yaml"}]}],"symfony\/dom-crawler":[{"advisoryId":"PKSA-5r1g-c7b7-y1zg","packageName":"symfony\/dom-crawler","remoteId":"symfony\/dom-crawler\/CVE-2026-45071.yaml","title":"CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true","link":"https:\/\/symfony.com\/cve-2026-45071","cve":"CVE-2026-45071","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/dom-crawler\/CVE-2026-45071.yaml"}]}],"symfony\/twig-bridge":[{"advisoryId":"PKSA-11dz-rdmf-vfgt","packageName":"symfony\/twig-bridge","remoteId":"symfony\/twig-bridge\/CVE-2026-45072.yaml","title":"CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering","link":"https:\/\/symfony.com\/cve-2026-45072","cve":"CVE-2026-45072","affectedVersions":"\u003E=6.4.24,\u003C6.4.40","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/twig-bridge\/CVE-2026-45072.yaml"}]}],"symfony\/cache":[{"advisoryId":"PKSA-z7t6-zt6p-wtng","packageName":"symfony\/cache","remoteId":"symfony\/cache\/CVE-2026-45073.yaml","title":"CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix","link":"https:\/\/symfony.com\/cve-2026-45073","cve":"CVE-2026-45073","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/cache\/CVE-2026-45073.yaml"}]}],"symfony\/json-path":[{"advisoryId":"PKSA-rj1d-mpts-8wrt","packageName":"symfony\/json-path","remoteId":"symfony\/json-path\/CVE-2026-45756.yaml","title":"CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()\/search() Without Limits: ReDoS","link":"https:\/\/symfony.com\/cve-2026-45756","cve":"CVE-2026-45756","affectedVersions":"\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/json-path\/CVE-2026-45756.yaml"}]}],"symfony\/mailer":[{"advisoryId":"PKSA-28rh-rzzn-djk4","packageName":"symfony\/mailer","remoteId":"symfony\/mailer\/CVE-2026-45068.yaml","title":"CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address","link":"https:\/\/symfony.com\/cve-2026-45068","cve":"CVE-2026-45068","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailer\/CVE-2026-45068.yaml"}]}],"symfony\/html-sanitizer":[{"advisoryId":"PKSA-q2wy-m7mz-kg58","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-45753.yaml","title":"CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action\/formaction\/poster\/cite: javascript: URI Survives Sanitization (XSS)","link":"https:\/\/symfony.com\/cve-2026-45753","cve":"CVE-2026-45753","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-45753.yaml"}]},{"advisoryId":"PKSA-jwvg-gphd-brbz","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-45066.yaml","title":"CVE-2026-45066: HtmlSanitizer allowLinkHosts() \/ allowMediaHosts() Bypass via URL-Parser Differentials and \u003Carea\u003E Misclassification","link":"https:\/\/symfony.com\/cve-2026-45066","cve":"CVE-2026-45066","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-45066.yaml"}]},{"advisoryId":"PKSA-4fc7-y875-17k3","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-45064.yaml","title":"CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters \u2192 Visual href Spoofing","link":"https:\/\/symfony.com\/cve-2026-45064","cve":"CVE-2026-45064","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-45064.yaml"}]}],"symfony\/runtime":[{"advisoryId":"PKSA-py8y-z9q7-q197","packageName":"symfony\/runtime","remoteId":"symfony\/runtime\/CVE-2026-46626.yaml","title":"CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV\/APP_DEBUG via parse_str\/SAPI Argv Mismatch","link":"https:\/\/symfony.com\/cve-2026-46626","cve":"CVE-2026-46626","affectedVersions":"\u003E=5.4.46,\u003C5.4.52|\u003E=6.4.14,\u003C6.4.40|\u003E=7.1.7,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/runtime\/CVE-2026-46626.yaml"}]}],"symfony\/web-profiler-bundle":[{"advisoryId":"PKSA-rg9h-crk2-m8zt","packageName":"symfony\/web-profiler-bundle","remoteId":"symfony\/web-profiler-bundle\/CVE-2026-45072.yaml","title":"CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering","link":"https:\/\/symfony.com\/cve-2026-45072","cve":"CVE-2026-45072","affectedVersions":"\u003E=7.2.9,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/web-profiler-bundle\/CVE-2026-45072.yaml"}]}],"twig\/twig":[{"advisoryId":"PKSA-5k7f-wvjj-jrgw","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46640.yaml","title":"Arbitrary PHP code execution via `_self.(\u003Cstring\u003E)` macro-reference compilation","link":"https:\/\/symfony.com\/cve-2026-46640","cve":"CVE-2026-46640","affectedVersions":"\u003E=3.15.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46640.yaml"}]},{"advisoryId":"PKSA-sjvz-tbbr-vwth","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46628.yaml","title":"The `spaceless` filter implicitly marks its output as safe","link":"https:\/\/symfony.com\/cve-2026-46628","cve":"CVE-2026-46628","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46628.yaml"}]},{"advisoryId":"PKSA-h8hf-ytnd-5t9q","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46633.yaml","title":"PHP code injection via `{% use %}` template name","link":"https:\/\/symfony.com\/cve-2026-46633","cve":"CVE-2026-46633","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46633.yaml"}]},{"advisoryId":"PKSA-wwb1-81rc-pd65","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-47730.yaml","title":"XSS in profiler HtmlDumper via unescaped template and profile names","link":"https:\/\/symfony.com\/cve-2026-47730","cve":"CVE-2026-47730","affectedVersions":"\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-47730.yaml"}]},{"advisoryId":"PKSA-hgmw-wn4d-hpcy","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46639.yaml","title":"Sandbox property and method bypass via object-destructuring assignment","link":"https:\/\/symfony.com\/cve-2026-46639","cve":"CVE-2026-46639","affectedVersions":"\u003E=3.24.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46639.yaml"}]},{"advisoryId":"PKSA-kvv6-36cr-fkzb","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46627.yaml","title":"Sandbox does not protect against resource exhaustion","link":"https:\/\/symfony.com\/cve-2026-46627","cve":"CVE-2026-46627","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46627.yaml"}]},{"advisoryId":"PKSA-n14z-jjjg-g8vd","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46635.yaml","title":"Sandbox property allowlist bypass via the `column` filter (array_column on objects)","link":"https:\/\/symfony.com\/cve-2026-46635","cve":"CVE-2026-46635","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46635.yaml"}]},{"advisoryId":"PKSA-3mcc-k66d-pydb","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46638.yaml","title":"`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)","link":"https:\/\/symfony.com\/cve-2026-46638","cve":"CVE-2026-46638","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46638.yaml"}]},{"advisoryId":"PKSA-gw7n-z4yx-7xjt","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-24425.yaml","title":"Possible sandbox bypass when using a source policy","link":"https:\/\/symfony.com\/cve-2026-24425","cve":"CVE-2026-24425","affectedVersions":"\u003E=2.16.0,\u003C3.0.0|\u003E=3.9.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-24425.yaml"}]},{"advisoryId":"PKSA-dpx1-78wg-1kqs","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-47732.yaml","title":"Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points","link":"https:\/\/symfony.com\/cve-2026-47732","cve":"CVE-2026-47732","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-47732.yaml"}]},{"advisoryId":"PKSA-21g2-dzjv-sky5","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46634.yaml","title":"`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name","link":"https:\/\/symfony.com\/cve-2026-46634","cve":"CVE-2026-46634","affectedVersions":"\u003E=3.9.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46634.yaml"}]}],"twig\/markdown-extra":[{"advisoryId":"PKSA-7b1y-jwqf-x6v6","packageName":"twig\/markdown-extra","remoteId":"twig\/markdown-extra\/CVE-2026-46637.yaml","title":"HTML-output filters in twig\/* extras incorrectly declared `is_safe =\u003E [\u0027all\u0027]`","link":"https:\/\/symfony.com\/cve-2026-46637","cve":"CVE-2026-46637","affectedVersions":"\u003E=2.12.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/markdown-extra\/CVE-2026-46637.yaml"}]}],"twig\/intl-extra":[{"advisoryId":"PKSA-2rbx-bjdx-4d4d","packageName":"twig\/intl-extra","remoteId":"twig\/intl-extra\/CVE-2026-46629.yaml","title":"Unbounded formatter memoisation in twig\/intl-extra keyed on template-controlled arguments","link":"https:\/\/symfony.com\/cve-2026-46629","cve":"CVE-2026-46629","affectedVersions":"\u003E=2.12.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/intl-extra\/CVE-2026-46629.yaml"}]}],"twig\/cssinliner-extra":[{"advisoryId":"PKSA-fs5b-x5k4-1h39","packageName":"twig\/cssinliner-extra","remoteId":"twig\/cssinliner-extra\/CVE-2026-46637.yaml","title":"HTML-output filters in twig\/* extras incorrectly declared `is_safe =\u003E [\u0027all\u0027]`","link":"https:\/\/symfony.com\/cve-2026-46637","cve":"CVE-2026-46637","affectedVersions":"\u003E=2.12.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/cssinliner-extra\/CVE-2026-46637.yaml"}]}],"setasign\/fpdi":[{"advisoryId":"PKSA-37cw-b473-k9np","packageName":"setasign\/fpdi","remoteId":"GHSA-2mgw-7q6p-8grg","title":"FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service","link":"https:\/\/github.com\/advisories\/GHSA-2mgw-7q6p-8grg","cve":"CVE-2026-45802","affectedVersions":"\u003C2.6.7","source":"GitHub","reportedAt":"2026-05-19 19:56:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2mgw-7q6p-8grg"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-2zy4-bynz-m2w3","packageName":"wwbn\/avideo","remoteId":"GHSA-w4qq-74h6-58wq","title":"AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view\/img\/image404Raw.php`","link":"https:\/\/github.com\/advisories\/GHSA-w4qq-74h6-58wq","cve":"CVE-2026-46337","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-19 16:25:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w4qq-74h6-58wq"}]},{"advisoryId":"PKSA-qsmt-54t8-4cfb","packageName":"wwbn\/avideo","remoteId":"GHSA-3mjv-375j-6h92","title":"AVideo: Authenticated Arbitrary File Read in view\/update.php","link":"https:\/\/github.com\/advisories\/GHSA-3mjv-375j-6h92","cve":"CVE-2026-45731","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-18 19:01:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3mjv-375j-6h92"}]},{"advisoryId":"PKSA-23zk-pg8x-sksb","packageName":"wwbn\/avideo","remoteId":"GHSA-vpfx-pxqw-2w79","title":"AVideo CVE-2026-43881 incomplete fix - `objects\/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`","link":"https:\/\/github.com\/advisories\/GHSA-vpfx-pxqw-2w79","cve":"CVE-2026-45620","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-18 13:30:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vpfx-pxqw-2w79"}]},{"advisoryId":"PKSA-rjrh-w2j8-5qv7","packageName":"wwbn\/avideo","remoteId":"GHSA-xw67-cg5f-4m2r","title":"AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL","link":"https:\/\/github.com\/advisories\/GHSA-xw67-cg5f-4m2r","cve":"CVE-2026-45578","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-15 18:32:36","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xw67-cg5f-4m2r"}]},{"advisoryId":"PKSA-wfgs-zzz2-wqdc","packageName":"wwbn\/avideo","remoteId":"GHSA-m5j4-7r85-2cj2","title":"AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute","link":"https:\/\/github.com\/advisories\/GHSA-m5j4-7r85-2cj2","cve":"CVE-2026-45580","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-15 18:33:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m5j4-7r85-2cj2"}]},{"advisoryId":"PKSA-p6p4-r212-wdgb","packageName":"wwbn\/avideo","remoteId":"GHSA-3mv2-vmwh-rwfx","title":"AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim\u0027s 2FA","link":"https:\/\/github.com\/advisories\/GHSA-3mv2-vmwh-rwfx","cve":"CVE-2026-45610","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-15 18:34:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3mv2-vmwh-rwfx"}]},{"advisoryId":"PKSA-fc5p-jrjx-1jy4","packageName":"wwbn\/avideo","remoteId":"GHSA-c3ch-22rq-xfwr","title":"AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`","link":"https:\/\/github.com\/advisories\/GHSA-c3ch-22rq-xfwr","cve":"CVE-2026-45619","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-15 18:35:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c3ch-22rq-xfwr"}]},{"advisoryId":"PKSA-psg4-6wzm-s4q8","packageName":"wwbn\/avideo","remoteId":"GHSA-qxvm-r42f-5p8j","title":"AVideo\u0027s Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User-\u003Elogin()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin","link":"https:\/\/github.com\/advisories\/GHSA-qxvm-r42f-5p8j","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-15 18:17:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qxvm-r42f-5p8j"}]}],"sulu\/sulu":[{"advisoryId":"PKSA-2mt7-sd38-1xng","packageName":"sulu\/sulu","remoteId":"GHSA-9m6v-8fxc-4r44","title":"Sulu: Used API Keys may be available via Admin API","link":"https:\/\/github.com\/advisories\/GHSA-9m6v-8fxc-4r44","cve":null,"affectedVersions":"\u003C=2.6.22|\u003E=3.0.0-alpha1,\u003C=3.0.5","source":"GitHub","reportedAt":"2026-05-18 17:34:06","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-9m6v-8fxc-4r44"}]},{"advisoryId":"PKSA-psv3-gm5n-8wm5","packageName":"sulu\/sulu","remoteId":"GHSA-7fv8-6pp7-6h85","title":"Sulu: Weak Cryptographical usage for API Key generation and Reset Tokens","link":"https:\/\/github.com\/advisories\/GHSA-7fv8-6pp7-6h85","cve":"CVE-2026-45701","affectedVersions":"\u003C=2.6.22|\u003E=3.0.0-alpha1,\u003C=3.0.5","source":"GitHub","reportedAt":"2026-05-18 17:27:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7fv8-6pp7-6h85"}]}],"verbb\/formie":[{"advisoryId":"PKSA-snft-3cv8-v5p5","packageName":"verbb\/formie","remoteId":"GHSA-x7m9-mwc2-g6w2","title":"Formie: Pre-authenticated server-side template injection in Hidden fields","link":"https:\/\/github.com\/advisories\/GHSA-x7m9-mwc2-g6w2","cve":"CVE-2026-45697","affectedVersions":"\u003C2.2.20|\u003E=3.0.0-beta.1,\u003C3.1.24","source":"GitHub","reportedAt":"2026-05-18 17:23:39","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-x7m9-mwc2-g6w2"}]}],"librenms\/librenms":[{"advisoryId":"PKSA-g8mh-y1x4-3d27","packageName":"librenms\/librenms","remoteId":"GHSA-5gm9-622f-qcg5","title":"LibreNMS: Cross-Site Scripting in ShowConfigController","link":"https:\/\/github.com\/advisories\/GHSA-5gm9-622f-qcg5","cve":"CVE-2026-2728","affectedVersions":"\u003E=25.12.0,\u003C26.3.0","source":"GitHub","reportedAt":"2026-05-18 17:00:49","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-5gm9-622f-qcg5"}]}],"shopper\/framework":[{"advisoryId":"PKSA-vtqh-k648-prz7","packageName":"shopper\/framework","remoteId":"GHSA-f946-9qp6-vgch","title":"shopper\/framework: Authorization bypass in multiple Livewire admin components","link":"https:\/\/github.com\/advisories\/GHSA-f946-9qp6-vgch","cve":null,"affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-05-18 16:34:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f946-9qp6-vgch"}]}],"shopper\/cart":[{"advisoryId":"PKSA-92pp-1wvt-fk91","packageName":"shopper\/cart","remoteId":"GHSA-9rh9-hf3w-9fgg","title":"shopper\/framework: Race condition on Discount.usage_limit allows silent over-redemption","link":"https:\/\/github.com\/advisories\/GHSA-9rh9-hf3w-9fgg","cve":null,"affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-05-18 16:37:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9rh9-hf3w-9fgg"}]}],"ci4-cms-erp\/ci4ms":[{"advisoryId":"PKSA-x2rt-sj8n-h21z","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-245j-xjvr-xvm5","title":"CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations","link":"https:\/\/github.com\/advisories\/GHSA-245j-xjvr-xvm5","cve":"CVE-2026-45139","affectedVersions":"\u003C=0.31.8.0","source":"GitHub","reportedAt":"2026-05-18 16:21:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-245j-xjvr-xvm5"}]},{"advisoryId":"PKSA-cfx9-7tcq-n157","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-gqr2-7hcg-rchf","title":"CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule","link":"https:\/\/github.com\/advisories\/GHSA-gqr2-7hcg-rchf","cve":"CVE-2026-45270","affectedVersions":"\u003C=0.31.8.0","source":"GitHub","reportedAt":"2026-05-18 16:23:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gqr2-7hcg-rchf"}]},{"advisoryId":"PKSA-7xbg-9dns-gxm5","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-2m69-jmvh-6chr","title":"CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule","link":"https:\/\/github.com\/advisories\/GHSA-2m69-jmvh-6chr","cve":"CVE-2026-45138","affectedVersions":"\u003C=0.31.8.0","source":"GitHub","reportedAt":"2026-05-18 15:39:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2m69-jmvh-6chr"}]}],"statamic\/cms":[{"advisoryId":"PKSA-7fht-jznj-7mgv","packageName":"statamic\/cms","remoteId":"GHSA-pf9c-ch8r-2958","title":"Statamic CMS: Server-Side Request Forgery via Glide","link":"https:\/\/github.com\/advisories\/GHSA-pf9c-ch8r-2958","cve":"CVE-2026-45660","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.18.1|\u003C5.73.22","source":"GitHub","reportedAt":"2026-05-18 15:32:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pf9c-ch8r-2958"}]}],"code16\/sharp":[{"advisoryId":"PKSA-h9kt-ss6k-xq4z","packageName":"code16\/sharp","remoteId":"GHSA-748w-hm6r-qc7v","title":"Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint","link":"https:\/\/github.com\/advisories\/GHSA-748w-hm6r-qc7v","cve":"CVE-2026-44692","affectedVersions":"\u003C9.22.0","source":"GitHub","reportedAt":"2026-05-15 18:01:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-748w-hm6r-qc7v"}]}],"simplesamlphp\/simplesamlphp-module-casserver":[{"advisoryId":"PKSA-4zw8-rhj7-ftzt","packageName":"simplesamlphp\/simplesamlphp-module-casserver","remoteId":"GHSA-jrrg-99xh-5j2q","title":"SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read\/unserialize and conditional deletion","link":"https:\/\/github.com\/advisories\/GHSA-jrrg-99xh-5j2q","cve":"CVE-2026-46491","affectedVersions":"\u003C=7.0.2","source":"GitHub","reportedAt":"2026-05-15 18:07:51","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jrrg-99xh-5j2q"}]},{"advisoryId":"PKSA-5vs1-v1t7-v5tj","packageName":"simplesamlphp\/simplesamlphp-module-casserver","remoteId":"GHSA-cvrm-5hp6-h523","title":"SimpleSAMLphp casserver: Open Redirect in logout","link":"https:\/\/github.com\/advisories\/GHSA-cvrm-5hp6-h523","cve":"CVE-2025-65954","affectedVersions":"\u003C6.3.1|\u003E=7.0.0-rc1,\u003C7.0.0-rc3","source":"GitHub","reportedAt":"2026-05-15 16:21:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cvrm-5hp6-h523"}]}],"nukeviet\/nukeviet":[{"advisoryId":"PKSA-3wj7-33bv-rdwf","packageName":"nukeviet\/nukeviet","remoteId":"GHSA-64rr-pp78-62ww","title":"NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input sanitization in Request class","link":"https:\/\/github.com\/advisories\/GHSA-64rr-pp78-62ww","cve":"CVE-2026-41147","affectedVersions":"\u003C=4.4.01","source":"GitHub","reportedAt":"2026-05-15 16:45:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-64rr-pp78-62ww"}]}],"composer\/composer":[{"advisoryId":"PKSA-pwvr-3754-v57r","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2026-45793.yaml","title":"Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs","link":"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-f9f8-rm49-7jv2","cve":"CVE-2026-45793","affectedVersions":"\u003E=2.3,\u003C2.9.8|\u003E=2.0.0,\u003C2.2.28|\u003E=1.0,\u003C1.10.28","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-13 07:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2026-45793.yaml"},{"name":"GitHub","remoteId":"GHSA-f9f8-rm49-7jv2"}]}]}}