{"advisories":{"froxlor\/froxlor":[{"advisoryId":"PKSA-vtjk-w45q-7qyz","packageName":"froxlor\/froxlor","remoteId":"GHSA-mq5v-pxpm-8jw2","title":"Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path","link":"https:\/\/github.com\/advisories\/GHSA-mq5v-pxpm-8jw2","cve":"CVE-2026-41236","affectedVersions":"=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:40:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mq5v-pxpm-8jw2"}]},{"advisoryId":"PKSA-sn72-k1q6-w5r5","packageName":"froxlor\/froxlor","remoteId":"GHSA-j6fm-9rfm-j5hx","title":"Froxlor has an incomplete fix for CVE-2026-30932","link":"https:\/\/github.com\/advisories\/GHSA-j6fm-9rfm-j5hx","cve":"CVE-2026-41237","affectedVersions":"\u003C=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:45:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j6fm-9rfm-j5hx"}]},{"advisoryId":"PKSA-yjh3-nghh-xpft","packageName":"froxlor\/froxlor","remoteId":"GHSA-gcv3-5v9q-fmhh","title":"Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement","link":"https:\/\/github.com\/advisories\/GHSA-gcv3-5v9q-fmhh","cve":"CVE-2026-41235","affectedVersions":"=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:36:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gcv3-5v9q-fmhh"}]}],"symfony\/ux-live-component":[{"advisoryId":"PKSA-kwkg-rq7h-gh18","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49208.yaml","title":"symfony\/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-89g7-22c8-3j23","cve":"CVE-2026-49208","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49208.yaml"}]},{"advisoryId":"PKSA-tv34-cfvx-rr9r","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49209.yaml","title":"symfony\/ux-live-component Denial of service via unbounded batch action requests","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-mm82-c99c-h2cf","cve":"CVE-2026-49209","affectedVersions":"\u003E=2.5.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49209.yaml"}]},{"advisoryId":"PKSA-ks3q-z9y3-61pz","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49215.yaml","title":"symfony\/ux-live-component CSRF Protection Bypass: Accept Header is CORS-Safelisted","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-4m4j-hmqq-3gxm","cve":"CVE-2026-49215","affectedVersions":"\u003E=2.22.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49215.yaml"}]},{"advisoryId":"PKSA-87hx-5gp4-x12b","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49210.yaml","title":"symfony\/ux-live-component XSS via attacker-controlled child component tag","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-38x5-rcv4-xf7x","cve":"CVE-2026-49210","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49210.yaml"}]},{"advisoryId":"PKSA-wxdb-kw41-yhdy","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49212.yaml","title":"symfony\/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-34w5-c283-j9fg","cve":"CVE-2026-49212","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49212.yaml"}]}],"symfony\/ux-autocomplete":[{"advisoryId":"PKSA-q7f1-2s55-5c1z","packageName":"symfony\/ux-autocomplete","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49216.yaml","title":"symfony\/ux-autocomplete XSS via unescaped AJAX response data","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-mwqm-4fw3-cjvr","cve":"CVE-2026-49216","affectedVersions":"\u003E=2.2.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49216.yaml"}]},{"advisoryId":"PKSA-msh7-gxqk-k56q","packageName":"symfony\/ux-autocomplete","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49211.yaml","title":"symfony\/ux-autocomplete Information exposure via unescaped LIKE wildcards in EntitySearchUtil","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-946h-jp5c-8fvh","cve":"CVE-2026-49211","affectedVersions":"\u003E=2.2.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49211.yaml"}]}],"pimcore\/pimcore":[{"advisoryId":"PKSA-vd5r-2gyh-m6cc","packageName":"pimcore\/pimcore","remoteId":"GHSA-jwcc-gv4m-93x6","title":"Pimcore has a CustomReports Share Bypass","link":"https:\/\/github.com\/advisories\/GHSA-jwcc-gv4m-93x6","cve":"CVE-2026-45704","affectedVersions":"\u003C=12.3.5","source":"GitHub","reportedAt":"2026-05-27 22:34:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jwcc-gv4m-93x6"}]},{"advisoryId":"PKSA-v5bg-33q7-q8zj","packageName":"pimcore\/pimcore","remoteId":"GHSA-332x-r494-54fq","title":"Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export","link":"https:\/\/github.com\/advisories\/GHSA-332x-r494-54fq","cve":"CVE-2026-45703","affectedVersions":"\u003C=12.3.6","source":"GitHub","reportedAt":"2026-05-27 22:27:18","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-332x-r494-54fq"}]},{"advisoryId":"PKSA-y4yc-6g1b-qfqz","packageName":"pimcore\/pimcore","remoteId":"GHSA-wc7j-g8wx-m2qx","title":"Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling","link":"https:\/\/github.com\/advisories\/GHSA-wc7j-g8wx-m2qx","cve":"CVE-2026-45260","affectedVersions":"\u003C=12.3.6","source":"GitHub","reportedAt":"2026-05-27 17:17:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wc7j-g8wx-m2qx"}]},{"advisoryId":"PKSA-882j-k212-wjbf","packageName":"pimcore\/pimcore","remoteId":"GHSA-36fc-7wjg-mfvj","title":"Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction","link":"https:\/\/github.com\/advisories\/GHSA-36fc-7wjg-mfvj","cve":"CVE-2026-45162","affectedVersions":"\u003C=12.3.6","source":"GitHub","reportedAt":"2026-05-27 16:57:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-36fc-7wjg-mfvj"}]},{"advisoryId":"PKSA-kp19-xmdp-rvyj","packageName":"pimcore\/pimcore","remoteId":"GHSA-3234-gxc3-pq6f","title":"Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration","link":"https:\/\/github.com\/advisories\/GHSA-3234-gxc3-pq6f","cve":"CVE-2026-44739","affectedVersions":"\u003C=12.3.5","source":"GitHub","reportedAt":"2026-05-27 00:35:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3234-gxc3-pq6f"}]},{"advisoryId":"PKSA-vp19-ydt7-tws9","packageName":"pimcore\/pimcore","remoteId":"GHSA-r2f4-ff2p-xc64","title":"Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import\/save","link":"https:\/\/github.com\/advisories\/GHSA-r2f4-ff2p-xc64","cve":"CVE-2026-5394","affectedVersions":"\u003C=12.3.6","source":"GitHub","reportedAt":"2026-05-28 20:47:10","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r2f4-ff2p-xc64"}]}],"automad\/automad":[{"advisoryId":"PKSA-v8bn-6yk2-7qjk","packageName":"automad\/automad","remoteId":"GHSA-xm76-r88j-vm3g","title":"Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint","link":"https:\/\/github.com\/advisories\/GHSA-xm76-r88j-vm3g","cve":"CVE-2026-45332","affectedVersions":"\u003E=2.0.0-alpha.1,\u003C=2.0.0-beta.27","source":"GitHub","reportedAt":"2026-05-27 21:32:31","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xm76-r88j-vm3g"}]}],"getkirby\/cms":[{"advisoryId":"PKSA-d956-rcc1-9n2f","packageName":"getkirby\/cms","remoteId":"GHSA-qvjf-922g-pj44","title":"Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend","link":"https:\/\/github.com\/advisories\/GHSA-qvjf-922g-pj44","cve":"CVE-2026-45368","affectedVersions":"\u003E=5.0.0,\u003C=5.4.0|\u003C=4.9.0","source":"GitHub","reportedAt":"2026-05-27 17:42:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qvjf-922g-pj44"}]},{"advisoryId":"PKSA-q7k8-c5gf-pkgc","packageName":"getkirby\/cms","remoteId":"GHSA-39vq-49qm-r2mc","title":"Kirby CMS\u0027s content locks disclose IDs and emails of inaccessible users from `users.access\/list` permissions","link":"https:\/\/github.com\/advisories\/GHSA-39vq-49qm-r2mc","cve":"CVE-2026-45334","affectedVersions":"\u003E=5.0.0,\u003C=5.4.0|\u003C=4.9.0","source":"GitHub","reportedAt":"2026-05-27 17:23:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-39vq-49qm-r2mc"}]},{"advisoryId":"PKSA-ycvm-k4m4-tr9m","packageName":"getkirby\/cms","remoteId":"GHSA-2xw4-v2wx-hqq9","title":"Kirby CMS\u0027s `pages.access` permission is not checked during rendering of page drafts","link":"https:\/\/github.com\/advisories\/GHSA-2xw4-v2wx-hqq9","cve":"CVE-2026-44176","affectedVersions":"\u003E=5.0.0,\u003C=5.4.0|\u003C=4.9.0","source":"GitHub","reportedAt":"2026-05-26 23:55:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2xw4-v2wx-hqq9"}]},{"advisoryId":"PKSA-82wy-dsmt-xgpc","packageName":"getkirby\/cms","remoteId":"GHSA-9hx7-c53c-v6x8","title":"Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup","link":"https:\/\/github.com\/advisories\/GHSA-9hx7-c53c-v6x8","cve":"CVE-2026-44177","affectedVersions":"\u003E=5.3.0,\u003C=5.4.0","source":"GitHub","reportedAt":"2026-05-26 23:56:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9hx7-c53c-v6x8"}]},{"advisoryId":"PKSA-hhnz-p4k9-sfyd","packageName":"getkirby\/cms","remoteId":"GHSA-86rh-h242-j8xp","title":"Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-86rh-h242-j8xp","cve":"CVE-2026-44174","affectedVersions":"\u003E=5.0.0,\u003C=5.4.0|\u003C=4.9.0","source":"GitHub","reportedAt":"2026-05-26 23:47:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-86rh-h242-j8xp"}]},{"advisoryId":"PKSA-g7d2-4qf5-mg45","packageName":"getkirby\/cms","remoteId":"GHSA-5fhx-9q32-q257","title":"Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend","link":"https:\/\/github.com\/advisories\/GHSA-5fhx-9q32-q257","cve":"CVE-2026-44175","affectedVersions":"\u003E=5.0.0,\u003C=5.4.0|\u003C=4.9.0","source":"GitHub","reportedAt":"2026-05-26 23:49:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5fhx-9q32-q257"}]}],"twig\/twig":[{"advisoryId":"PKSA-fbvq-z33h-r2np","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48808.yaml","title":"Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`","link":"https:\/\/symfony.com\/blog\/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface","cve":"CVE-2026-48808","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48808.yaml"}]},{"advisoryId":"PKSA-g9zw-qxh8-pq8w","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48805.yaml","title":"Sandbox state regression in deprecated internal wrappers in `src\/Resources\/core.php`","link":"https:\/\/symfony.com\/blog\/cve-2026-48805-sandbox-state-regression-in-deprecated-internal-wrappers-in-src-resources-core-php","cve":"CVE-2026-48805","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48805.yaml"}]},{"advisoryId":"PKSA-yd6k-t2gh-1m43","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-46636.yaml","title":"Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders","link":"https:\/\/symfony.com\/blog\/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders","cve":"CVE-2026-46636","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-46636.yaml"}]},{"advisoryId":"PKSA-1tmc-rt7x-12w6","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48806.yaml","title":"Sandbox `__toString()` policy bypass via dynamic mapping keys","link":"https:\/\/symfony.com\/blog\/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys","cve":"CVE-2026-48806","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48806.yaml"}]},{"advisoryId":"PKSA-xx6c-6d96-db2w","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48807.yaml","title":"Sandbox `__toString()` policy bypass via `Traversable` in `join`\/`replace` and `in`\/`not in` operators","link":"https:\/\/symfony.com\/blog\/cve-2026-48807-sandbox-tostring-policy-bypass-via-traversable-in-join-replace-and-in-not-in-operators","cve":"CVE-2026-48807","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48807.yaml"}]}],"symfony\/mailomat-mailer":[{"advisoryId":"PKSA-9y9v-rcsm-h82j","packageName":"symfony\/mailomat-mailer","remoteId":"symfony\/mailomat-mailer\/CVE-2026-48747.yaml","title":"CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade","link":"https:\/\/symfony.com\/cve-2026-48747","cve":"CVE-2026-48747","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailomat-mailer\/CVE-2026-48747.yaml"}]}],"symfony\/http-foundation":[{"advisoryId":"PKSA-y6py-qpv1-h52p","packageName":"symfony\/http-foundation","remoteId":"symfony\/http-foundation\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-foundation\/CVE-2026-48736.yaml"}]}],"symfony\/symfony":[{"advisoryId":"PKSA-bd71-n14y-wh1d","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=5.4.0,\u003C5.4.53|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48736.yaml"}]},{"advisoryId":"PKSA-qpkt-z1gq-qf6m","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48761.yaml","title":"CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003Cobject\u003E, \u003Capplet\u003E, \u003Ciframe\u003E, \u003Cimg\u003E and the URL Inside \u003Cmeta http-equiv=\u0022refresh\u0022\u003E content","link":"https:\/\/symfony.com\/cve-2026-48761","cve":"CVE-2026-48761","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48761.yaml"}]},{"advisoryId":"PKSA-nshj-ydrr-y3c1","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48784.yaml","title":"CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `..\/` or `.\/` \u2192 Generated URL Collapses Off-Route Under RFC 3986 Normalization","link":"https:\/\/symfony.com\/cve-2026-48784","cve":"CVE-2026-48784","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48784.yaml"}]},{"advisoryId":"PKSA-v1cq-8qyb-2p5n","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48747.yaml","title":"CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade","link":"https:\/\/symfony.com\/cve-2026-48747","cve":"CVE-2026-48747","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48747.yaml"}]},{"advisoryId":"PKSA-gc1j-s49p-r1kv","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48760.yaml","title":"CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense","link":"https:\/\/symfony.com\/cve-2026-48760","cve":"CVE-2026-48760","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48760.yaml"}]},{"advisoryId":"PKSA-pjp2-q1z1-mmvn","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48489.yaml","title":"CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes","link":"https:\/\/symfony.com\/cve-2026-48489","cve":"CVE-2026-48489","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48489.yaml"}]},{"advisoryId":"PKSA-2zh8-n335-x575","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45304.yaml","title":"CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion (\u0022Billion Laughs\u0022)","link":"https:\/\/symfony.com\/cve-2026-45304","cve":"CVE-2026-45304","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-4qpc-3hr4-r2p4"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45304.yaml"}]},{"advisoryId":"PKSA-9sj3-tcvg-s7g4","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45068.yaml","title":"CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address","link":"https:\/\/symfony.com\/cve-2026-45068","cve":"CVE-2026-45068","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xx3c-qf5g-hc39"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45068.yaml"}]},{"advisoryId":"PKSA-qgpb-b2wz-rty6","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45070.yaml","title":"CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names","link":"https:\/\/symfony.com\/cve-2026-45070","cve":"CVE-2026-45070","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vqc8-7275-q272"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45070.yaml"}]},{"advisoryId":"PKSA-j6yc-z95h-xyjq","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45305.yaml","title":"CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex","link":"https:\/\/symfony.com\/cve-2026-45305","cve":"CVE-2026-45305","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-9frc-8383-795m"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45305.yaml"}]},{"advisoryId":"PKSA-kp1y-8sfh-4r87","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45753.yaml","title":"CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action\/formaction\/poster\/cite: javascript: URI Survives Sanitization (XSS)","link":"https:\/\/symfony.com\/cve-2026-45753","cve":"CVE-2026-45753","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hhg7-c65m-h7ff"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45753.yaml"}]},{"advisoryId":"PKSA-9ss4-yr44-h3bt","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45071.yaml","title":"CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true","link":"https:\/\/symfony.com\/cve-2026-45071","cve":"CVE-2026-45071","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-x6g4-fwcc-jj8w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45071.yaml"}]},{"advisoryId":"PKSA-3ds8-wrg2-pjdq","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-64hg-93w9-fc35"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45754.yaml"}]},{"advisoryId":"PKSA-94ry-294g-7bbc","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45756.yaml","title":"CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()\/search() Without Limits: ReDoS","link":"https:\/\/symfony.com\/cve-2026-45756","cve":"CVE-2026-45756","affectedVersions":"\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-8v8v-g73j-492j"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45756.yaml"}]},{"advisoryId":"PKSA-13hy-qbkf-1ty7","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45077.yaml","title":"CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener","link":"https:\/\/symfony.com\/cve-2026-45077","cve":"CVE-2026-45077","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m7v2-7gxm-vc2v"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45077.yaml"}]},{"advisoryId":"PKSA-7tp5-63ss-rycr","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45069.yaml","title":"CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud\/iss\/exp Claims","link":"https:\/\/symfony.com\/cve-2026-45069","cve":"CVE-2026-45069","affectedVersions":"\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-29fc-p6c4-24cg"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45069.yaml"}]},{"advisoryId":"PKSA-29h7-kzb3-pdfy","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45073.yaml","title":"CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix","link":"https:\/\/symfony.com\/cve-2026-45073","cve":"CVE-2026-45073","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6qh9-h6wf-jgqc"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45073.yaml"}]},{"advisoryId":"PKSA-vty3-cvqg-rtn4","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45066.yaml","title":"CVE-2026-45066: HtmlSanitizer allowLinkHosts() \/ allowMediaHosts() Bypass via URL-Parser Differentials and \u003Carea\u003E Misclassification","link":"https:\/\/symfony.com\/cve-2026-45066","cve":"CVE-2026-45066","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qc95-4862-92fh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45066.yaml"}]},{"advisoryId":"PKSA-t5z9-jvfg-zqhb","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45064.yaml","title":"CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters \u2192 Visual href Spoofing","link":"https:\/\/symfony.com\/cve-2026-45064","cve":"CVE-2026-45064","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5vq-qfcg-4m6p"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45064.yaml"}]},{"advisoryId":"PKSA-1jhn-nv8n-vjk2","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45755.yaml","title":"CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45755","cve":"CVE-2026-45755","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-59f3-vp2f-mp9w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45755.yaml"}]},{"advisoryId":"PKSA-wyg9-y12c-3kdv","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45063.yaml","title":"CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator","link":"https:\/\/symfony.com\/cve-2026-45063","cve":"CVE-2026-45063","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ph86-p8f6-f9r2"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45063.yaml"}]},{"advisoryId":"PKSA-3f27-q682-kfn9","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45065.yaml","title":"CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation \u2192 Off-Site \/\/host URL Injection","link":"https:\/\/symfony.com\/cve-2026-45065","cve":"CVE-2026-45065","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-72xp-p242-47p9"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45065.yaml"}]},{"advisoryId":"PKSA-z2fd-3m4y-rrss","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45067.yaml","title":"CVE-2026-45067: Email Header \/ SMTP Command Injection via CRLF in Symfony\\Component\\Mime\\Address","link":"https:\/\/symfony.com\/cve-2026-45067","cve":"CVE-2026-45067","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qpmx-3rfj-7rhv"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45067.yaml"}]},{"advisoryId":"PKSA-mbth-mcd4-2tr8","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45074.yaml","title":"CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header \u2192 Cross-Service Ticket Replay","link":"https:\/\/symfony.com\/cve-2026-45074","cve":"CVE-2026-45074","affectedVersions":"\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j8gj-9rm5-4xhx"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45074.yaml"}]},{"advisoryId":"PKSA-wps4-zyhx-xws4","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45133.yaml","title":"CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings","link":"https:\/\/symfony.com\/cve-2026-45133","cve":"CVE-2026-45133","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-c2p3-7m5p-cv8x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45133.yaml"}]},{"advisoryId":"PKSA-smg5-pq2q-kjkh","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45072.yaml","title":"CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering","link":"https:\/\/symfony.com\/cve-2026-45072","cve":"CVE-2026-45072","affectedVersions":"\u003E=6.4.24,\u003C6.4.40|\u003E=7.2.9,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hmr5-2xcr-v8pp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45072.yaml"}]},{"advisoryId":"PKSA-xxm6-3p32-rqz7","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6439-2f28-8p8q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45075.yaml"}]}],"symfony\/security-http":[{"advisoryId":"PKSA-c28x-6bj5-8spx","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-48489.yaml","title":"CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes","link":"https:\/\/symfony.com\/cve-2026-48489","cve":"CVE-2026-48489","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-48489.yaml"}]},{"advisoryId":"PKSA-jzjr-4n2h-knvd","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45069.yaml","title":"CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud\/iss\/exp Claims","link":"https:\/\/symfony.com\/cve-2026-45069","cve":"CVE-2026-45069","affectedVersions":"\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-29fc-p6c4-24cg"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45069.yaml"}]},{"advisoryId":"PKSA-tbsf-h7vc-j7hn","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45063.yaml","title":"CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator","link":"https:\/\/symfony.com\/cve-2026-45063","cve":"CVE-2026-45063","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ph86-p8f6-f9r2"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45063.yaml"}]},{"advisoryId":"PKSA-5df2-zpfk-xgsv","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45074.yaml","title":"CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header \u2192 Cross-Service Ticket Replay","link":"https:\/\/symfony.com\/cve-2026-45074","cve":"CVE-2026-45074","affectedVersions":"\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j8gj-9rm5-4xhx"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45074.yaml"}]},{"advisoryId":"PKSA-4tmc-tz3m-9xpb","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6439-2f28-8p8q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45075.yaml"}]}],"symfony\/http-client":[{"advisoryId":"PKSA-35by-yxtt-jc85","packageName":"symfony\/http-client","remoteId":"symfony\/http-client\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=5.4.0,\u003C5.4.53","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-client\/CVE-2026-48736.yaml"}]}],"symfony\/routing":[{"advisoryId":"PKSA-bf7t-jnpz-492k","packageName":"symfony\/routing","remoteId":"symfony\/routing\/CVE-2026-48784.yaml","title":"CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `..\/` or `.\/` \u2192 Generated URL Collapses Off-Route Under RFC 3986 Normalization","link":"https:\/\/symfony.com\/cve-2026-48784","cve":"CVE-2026-48784","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/routing\/CVE-2026-48784.yaml"}]},{"advisoryId":"PKSA-yc7t-91v9-99xs","packageName":"symfony\/routing","remoteId":"symfony\/routing\/CVE-2026-45065.yaml","title":"CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation \u2192 Off-Site \/\/host URL Injection","link":"https:\/\/symfony.com\/cve-2026-45065","cve":"CVE-2026-45065","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-72xp-p242-47p9"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/routing\/CVE-2026-45065.yaml"}]}],"symfony\/html-sanitizer":[{"advisoryId":"PKSA-3d8r-4bff-vcj1","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-48761.yaml","title":"CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003Cobject\u003E, \u003Capplet\u003E, \u003Ciframe\u003E, \u003Cimg\u003E and the URL Inside \u003Cmeta http-equiv=\u0022refresh\u0022\u003E content","link":"https:\/\/symfony.com\/cve-2026-48761","cve":"CVE-2026-48761","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-48761.yaml"}]},{"advisoryId":"PKSA-bvdf-tk8n-sbsf","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-48760.yaml","title":"CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense","link":"https:\/\/symfony.com\/cve-2026-48760","cve":"CVE-2026-48760","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-48760.yaml"}]},{"advisoryId":"PKSA-q2wy-m7mz-kg58","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-45753.yaml","title":"CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action\/formaction\/poster\/cite: javascript: URI Survives Sanitization (XSS)","link":"https:\/\/symfony.com\/cve-2026-45753","cve":"CVE-2026-45753","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hhg7-c65m-h7ff"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-45753.yaml"}]},{"advisoryId":"PKSA-jwvg-gphd-brbz","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-45066.yaml","title":"CVE-2026-45066: HtmlSanitizer allowLinkHosts() \/ allowMediaHosts() Bypass via URL-Parser Differentials and \u003Carea\u003E Misclassification","link":"https:\/\/symfony.com\/cve-2026-45066","cve":"CVE-2026-45066","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qc95-4862-92fh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-45066.yaml"}]},{"advisoryId":"PKSA-4fc7-y875-17k3","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-45064.yaml","title":"CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters \u2192 Visual href Spoofing","link":"https:\/\/symfony.com\/cve-2026-45064","cve":"CVE-2026-45064","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5vq-qfcg-4m6p"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-45064.yaml"}]}],"spatie\/schema-org":[{"advisoryId":"PKSA-6mmh-w4kg-c2xp","packageName":"spatie\/schema-org","remoteId":"spatie\/schema-org\/2026-04-20.yaml","title":"Cross-site scripting (XSS) via script break-out in toScript() output","link":"https:\/\/github.com\/spatie\/schema-org\/releases\/tag\/4.0.2","cve":null,"affectedVersions":"\u003E=3.23.1,\u003C4.0.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-20 00:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"spatie\/schema-org\/2026-04-20.yaml"}]}],"pimcore\/admin-ui-classic-bundle":[{"advisoryId":"PKSA-v29g-sqpm-mznn","packageName":"pimcore\/admin-ui-classic-bundle","remoteId":"GHSA-h4ph-crvj-9h92","title":"Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter","link":"https:\/\/github.com\/advisories\/GHSA-h4ph-crvj-9h92","cve":"CVE-2026-44741","affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-05-27 00:35:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-h4ph-crvj-9h92"}]}],"pterodactyl\/panel":[{"advisoryId":"PKSA-d16c-6bkx-pfvs","packageName":"pterodactyl\/panel","remoteId":"GHSA-fgmm-w5cx-vrfw","title":"Pterodactyl has a database resource limit bypass via race condition in Client API","link":"https:\/\/github.com\/advisories\/GHSA-fgmm-w5cx-vrfw","cve":"CVE-2026-35202","affectedVersions":"\u003C1.12.3","source":"GitHub","reportedAt":"2026-05-26 19:30:02","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-fgmm-w5cx-vrfw"}]}],"symfony\/polyfill":[{"advisoryId":"PKSA-df53-cqz9-c3zn","packageName":"symfony\/polyfill","remoteId":"symfony\/polyfill\/CVE-2026-46644.yaml","title":"CVE-2026-46644: symfony\/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence","link":"https:\/\/symfony.com\/cve-2026-46644","cve":"CVE-2026-46644","affectedVersions":"\u003E=1.17.1,\u003C1.38.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-2xf4-cg6j-vhgq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/polyfill\/CVE-2026-46644.yaml"}]}],"symfony\/polyfill-intl-idn":[{"advisoryId":"PKSA-dwsq-ppd2-mb1x","packageName":"symfony\/polyfill-intl-idn","remoteId":"symfony\/polyfill-intl-idn\/CVE-2026-46644.yaml","title":"CVE-2026-46644: symfony\/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence","link":"https:\/\/symfony.com\/cve-2026-46644","cve":"CVE-2026-46644","affectedVersions":"\u003E=1.17.1,\u003C1.38.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-2xf4-cg6j-vhgq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/polyfill-intl-idn\/CVE-2026-46644.yaml"}]}],"evoweb\/sf-register":[{"advisoryId":"PKSA-1gw5-qx8s-xyvr","packageName":"evoweb\/sf-register","remoteId":"evoweb\/sf-register\/CVE-2026-46721.yaml","title":"TYPO3-EXT-SA-2026-009: Broken Access Control in extension \u0022Frontend User Registration\u0022 (sf_register)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-009","cve":"CVE-2026-46721","affectedVersions":"\u003E=14.0.0,\u003C14.0.2|\u003C13.2.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 16:40:54","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"evoweb\/sf-register\/CVE-2026-46721.yaml"}]}],"tpwd\/ke_search":[{"advisoryId":"PKSA-cy57-p12b-t759","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml","title":"TYPO3-EXT-SA-2026-011: XML External Entity Injection in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46722","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003C5.6.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml"}]},{"advisoryId":"PKSA-ybqg-nm5d-my8d","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml","title":"TYPO3-EXT-SA-2026-011: Information Disclosure in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46724","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003C5.6.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml"}]},{"advisoryId":"PKSA-pb46-78nq-81hw","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46723.yaml","title":"TYPO3-EXT-SA-2026-011: Path Traversal in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46723","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003C5.6.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46723.yaml"}]}],"mmc\/ceselector":[{"advisoryId":"PKSA-kfm7-j6tb-2qn9","packageName":"mmc\/ceselector","remoteId":"mmc\/ceselector\/CVE-2026-46725.yaml","title":"TYPO3-EXT-SA-2026-013: Remote Code Execution in extension \u0022Content Element Selector\u0022 (ceselector)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-013","cve":"CVE-2026-46725","affectedVersions":"\u003E=6.0.0,\u003C6.0.1|\u003E=5.0.0,\u003C5.0.1|\u003E=4.0.0,\u003C4.0.2|\u003C3.0.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-07 10:50:50","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"mmc\/ceselector\/CVE-2026-46725.yaml"}]}],"friendsoftypo3\/tt-address":[{"advisoryId":"PKSA-s9h4-6qfr-k554","packageName":"friendsoftypo3\/tt-address","remoteId":"friendsoftypo3\/tt-address\/CVE-2026-8827.yaml","title":"TYPO3-EXT-SA-2026-012: SQL Injection in extension \u0022Address List\u0022 (tt_address)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-012","cve":"CVE-2026-8827","affectedVersions":"\u003E=10.0.0,\u003C10.0.1|\u003E=9.0.0,\u003C9.1.1|\u003C8.1.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 15:13:22","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"friendsoftypo3\/tt-address\/CVE-2026-8827.yaml"}]}],"tomasnorre\/crawler":[{"advisoryId":"PKSA-bt63-cwpy-49h9","packageName":"tomasnorre\/crawler","remoteId":"tomasnorre\/crawler\/CVE-2026-8727.yaml","title":"TYPO3-EXT-SA-2026-008: Remote Code Execution in extension \u0022Site Crawler\u0022 (crawler)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-008","cve":"CVE-2026-8727","affectedVersions":"\u003E=12.0.0,\u003C12.0.11|\u003C11.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-11 19:18:44","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tomasnorre\/crawler\/CVE-2026-8727.yaml"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-64xv-jbdm-pg2q","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9qv9-8xv6-5p35","title":"phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation","link":"https:\/\/github.com\/advisories\/GHSA-9qv9-8xv6-5p35","cve":"CVE-2026-35676","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:45:53","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9qv9-8xv6-5p35"}]},{"advisoryId":"PKSA-ttcw-fg74-jv2w","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-xvp4-phqj-cjr3","title":"phpMyFAQ: IDOR Account Takeover ","link":"https:\/\/github.com\/advisories\/GHSA-xvp4-phqj-cjr3","cve":"CVE-2026-35671","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xvp4-phqj-cjr3"}]},{"advisoryId":"PKSA-jk8b-rmby-gztg","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gp95-j463-vv28","title":"phpMyFAQ: Default Empty API Token Authentication Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gp95-j463-vv28","cve":"CVE-2026-35672","affectedVersions":"\u003C=4.1.2","source":"GitHub","reportedAt":"2026-05-20 15:46:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gp95-j463-vv28"}]},{"advisoryId":"PKSA-x1b3-f9q9-1brm","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-w9xh-5f39-vq89","title":"phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username\/Email Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-w9xh-5f39-vq89","cve":"CVE-2026-35675","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w9xh-5f39-vq89"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-1ckg-7bmf-xkmp","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9qv9-8xv6-5p35","title":"phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation","link":"https:\/\/github.com\/advisories\/GHSA-9qv9-8xv6-5p35","cve":"CVE-2026-35676","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:45:53","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9qv9-8xv6-5p35"}]},{"advisoryId":"PKSA-vdjw-v652-d3d9","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-xvp4-phqj-cjr3","title":"phpMyFAQ: IDOR Account Takeover ","link":"https:\/\/github.com\/advisories\/GHSA-xvp4-phqj-cjr3","cve":"CVE-2026-35671","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xvp4-phqj-cjr3"}]},{"advisoryId":"PKSA-xr26-9czp-vbgk","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-gp95-j463-vv28","title":"phpMyFAQ: Default Empty API Token Authentication Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gp95-j463-vv28","cve":"CVE-2026-35672","affectedVersions":"\u003C=4.1.2","source":"GitHub","reportedAt":"2026-05-20 15:46:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gp95-j463-vv28"}]},{"advisoryId":"PKSA-527c-n963-c1j5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-w9xh-5f39-vq89","title":"phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username\/Email Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-w9xh-5f39-vq89","cve":"CVE-2026-35675","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w9xh-5f39-vq89"}]}],"symfony\/mailtrap-mailer":[{"advisoryId":"PKSA-n517-312t-6vqg","packageName":"symfony\/mailtrap-mailer","remoteId":"symfony\/mailtrap-mailer\/CVE-2026-45755.yaml","title":"CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45755","cve":"CVE-2026-45755","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-59f3-vp2f-mp9w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailtrap-mailer\/CVE-2026-45755.yaml"}]}],"symfony\/lox24-notifier":[{"advisoryId":"PKSA-675k-fhbn-1yh5","packageName":"symfony\/lox24-notifier","remoteId":"symfony\/lox24-notifier\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-64hg-93w9-fc35"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/lox24-notifier\/CVE-2026-45754.yaml"}]}],"symfony\/mailjet-mailer":[{"advisoryId":"PKSA-swxr-w76k-fd2b","packageName":"symfony\/mailjet-mailer","remoteId":"symfony\/mailjet-mailer\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-64hg-93w9-fc35"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailjet-mailer\/CVE-2026-45754.yaml"}]}],"symfony\/yaml":[{"advisoryId":"PKSA-v5yj-8nmz-sk2q","packageName":"symfony\/yaml","remoteId":"symfony\/yaml\/CVE-2026-45304.yaml","title":"CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion (\u0022Billion Laughs\u0022)","link":"https:\/\/symfony.com\/cve-2026-45304","cve":"CVE-2026-45304","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-4qpc-3hr4-r2p4"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/yaml\/CVE-2026-45304.yaml"}]},{"advisoryId":"PKSA-ft77-7h5f-p3r6","packageName":"symfony\/yaml","remoteId":"symfony\/yaml\/CVE-2026-45305.yaml","title":"CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex","link":"https:\/\/symfony.com\/cve-2026-45305","cve":"CVE-2026-45305","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-9frc-8383-795m"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/yaml\/CVE-2026-45305.yaml"}]},{"advisoryId":"PKSA-b14r-zh1d-vdrc","packageName":"symfony\/yaml","remoteId":"symfony\/yaml\/CVE-2026-45133.yaml","title":"CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings","link":"https:\/\/symfony.com\/cve-2026-45133","cve":"CVE-2026-45133","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-c2p3-7m5p-cv8x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/yaml\/CVE-2026-45133.yaml"}]}],"symfony\/mime":[{"advisoryId":"PKSA-wtxr-p26d-nn42","packageName":"symfony\/mime","remoteId":"symfony\/mime\/CVE-2026-45070.yaml","title":"CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names","link":"https:\/\/symfony.com\/cve-2026-45070","cve":"CVE-2026-45070","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vqc8-7275-q272"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mime\/CVE-2026-45070.yaml"}]},{"advisoryId":"PKSA-2n2k-66v2-bwg3","packageName":"symfony\/mime","remoteId":"symfony\/mime\/CVE-2026-45067.yaml","title":"CVE-2026-45067: Email Header \/ SMTP Command Injection via CRLF in Symfony\\Component\\Mime\\Address","link":"https:\/\/symfony.com\/cve-2026-45067","cve":"CVE-2026-45067","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qpmx-3rfj-7rhv"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mime\/CVE-2026-45067.yaml"}]}],"symfony\/http-kernel":[{"advisoryId":"PKSA-dw7n-x7f5-zf63","packageName":"symfony\/http-kernel","remoteId":"symfony\/http-kernel\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6439-2f28-8p8q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-kernel\/CVE-2026-45075.yaml"}]}],"symfony\/monolog-bridge":[{"advisoryId":"PKSA-4wjj-gy1p-ft3r","packageName":"symfony\/monolog-bridge","remoteId":"symfony\/monolog-bridge\/CVE-2026-45077.yaml","title":"CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener","link":"https:\/\/symfony.com\/cve-2026-45077","cve":"CVE-2026-45077","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m7v2-7gxm-vc2v"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/monolog-bridge\/CVE-2026-45077.yaml"}]}],"symfony\/dom-crawler":[{"advisoryId":"PKSA-5r1g-c7b7-y1zg","packageName":"symfony\/dom-crawler","remoteId":"symfony\/dom-crawler\/CVE-2026-45071.yaml","title":"CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true","link":"https:\/\/symfony.com\/cve-2026-45071","cve":"CVE-2026-45071","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-x6g4-fwcc-jj8w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/dom-crawler\/CVE-2026-45071.yaml"}]}],"symfony\/twig-bridge":[{"advisoryId":"PKSA-11dz-rdmf-vfgt","packageName":"symfony\/twig-bridge","remoteId":"symfony\/twig-bridge\/CVE-2026-45072.yaml","title":"CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering","link":"https:\/\/symfony.com\/cve-2026-45072","cve":"CVE-2026-45072","affectedVersions":"\u003E=6.4.24,\u003C6.4.40","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hmr5-2xcr-v8pp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/twig-bridge\/CVE-2026-45072.yaml"}]}],"symfony\/cache":[{"advisoryId":"PKSA-z7t6-zt6p-wtng","packageName":"symfony\/cache","remoteId":"symfony\/cache\/CVE-2026-45073.yaml","title":"CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix","link":"https:\/\/symfony.com\/cve-2026-45073","cve":"CVE-2026-45073","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6qh9-h6wf-jgqc"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/cache\/CVE-2026-45073.yaml"}]}],"symfony\/json-path":[{"advisoryId":"PKSA-rj1d-mpts-8wrt","packageName":"symfony\/json-path","remoteId":"symfony\/json-path\/CVE-2026-45756.yaml","title":"CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()\/search() Without Limits: ReDoS","link":"https:\/\/symfony.com\/cve-2026-45756","cve":"CVE-2026-45756","affectedVersions":"\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-8v8v-g73j-492j"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/json-path\/CVE-2026-45756.yaml"}]}],"symfony\/mailer":[{"advisoryId":"PKSA-28rh-rzzn-djk4","packageName":"symfony\/mailer","remoteId":"symfony\/mailer\/CVE-2026-45068.yaml","title":"CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address","link":"https:\/\/symfony.com\/cve-2026-45068","cve":"CVE-2026-45068","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.52|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xx3c-qf5g-hc39"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailer\/CVE-2026-45068.yaml"}]}],"symfony\/web-profiler-bundle":[{"advisoryId":"PKSA-rg9h-crk2-m8zt","packageName":"symfony\/web-profiler-bundle","remoteId":"symfony\/web-profiler-bundle\/CVE-2026-45072.yaml","title":"CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering","link":"https:\/\/symfony.com\/cve-2026-45072","cve":"CVE-2026-45072","affectedVersions":"\u003E=7.2.9,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hmr5-2xcr-v8pp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/web-profiler-bundle\/CVE-2026-45072.yaml"}]}]}}