{"advisories":{"shopper\/framework":[{"advisoryId":"PKSA-jg8p-p13z-fkym","packageName":"shopper\/framework","remoteId":"GHSA-h4mp-g9c6-xwph","title":"Shopper: Missing authorization on Product admin Livewire sub-form components","link":"https:\/\/github.com\/advisories\/GHSA-h4mp-g9c6-xwph","cve":"CVE-2026-47742","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:33:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h4mp-g9c6-xwph"}]},{"advisoryId":"PKSA-7v8h-262h-wzkz","packageName":"shopper\/framework","remoteId":"GHSA-fxqw-97cc-7g5c","title":"Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables","link":"https:\/\/github.com\/advisories\/GHSA-fxqw-97cc-7g5c","cve":"CVE-2026-47745","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:34:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fxqw-97cc-7g5c"}]},{"advisoryId":"PKSA-88dm-mp91-mkr8","packageName":"shopper\/framework","remoteId":"GHSA-hr9v-r8r2-hg7j","title":"Shopper: Multiple data integrity and disclosure issues in admin Livewire components","link":"https:\/\/github.com\/advisories\/GHSA-hr9v-r8r2-hg7j","cve":"CVE-2026-47743","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:35:14","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hr9v-r8r2-hg7j"}]},{"advisoryId":"PKSA-5g52-7x8y-w2y1","packageName":"shopper\/framework","remoteId":"GHSA-c3qp-2ggw-xjg7","title":"Shopper: Authorization bypass and RBAC privilege escalation in team settings","link":"https:\/\/github.com\/advisories\/GHSA-c3qp-2ggw-xjg7","cve":"CVE-2026-47744","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:35:51","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-c3qp-2ggw-xjg7"}]}],"tinymce\/tinymce":[{"advisoryId":"PKSA-rf1b-835f-6yyv","packageName":"tinymce\/tinymce","remoteId":"GHSA-q742-qvgc-gc2f","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes","link":"https:\/\/github.com\/advisories\/GHSA-q742-qvgc-gc2f","cve":"CVE-2026-47759","affectedVersions":"\u003E=8.0.0,\u003C8.5.1|\u003E=6.0.0,\u003C7.9.3|\u003C5.11.1","source":"GitHub","reportedAt":"2026-06-05 20:27:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q742-qvgc-gc2f"}]},{"advisoryId":"PKSA-2v47-9p8y-4qt3","packageName":"tinymce\/tinymce","remoteId":"GHSA-v98h-vmpc-fpqv","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments","link":"https:\/\/github.com\/advisories\/GHSA-v98h-vmpc-fpqv","cve":"CVE-2026-47762","affectedVersions":"\u003E=8.0.0,\u003C8.5.1|\u003E=6.0.0,\u003C7.9.3|\u003C5.11.1","source":"GitHub","reportedAt":"2026-06-05 20:29:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-v98h-vmpc-fpqv"}]},{"advisoryId":"PKSA-k4d6-bt7k-7ddp","packageName":"tinymce\/tinymce","remoteId":"GHSA-vg35-5wq7-3x7w","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection","link":"https:\/\/github.com\/advisories\/GHSA-vg35-5wq7-3x7w","cve":"CVE-2026-47761","affectedVersions":"\u003E=8.0.0,\u003C8.5.1|\u003E=6.0.0,\u003C7.9.3|\u003C5.11.1","source":"GitHub","reportedAt":"2026-06-05 20:29:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vg35-5wq7-3x7w"}]},{"advisoryId":"PKSA-fp8q-vmhs-msy9","packageName":"tinymce\/tinymce","remoteId":"GHSA-mh5m-5hw4-5c69","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs","link":"https:\/\/github.com\/advisories\/GHSA-mh5m-5hw4-5c69","cve":"CVE-2026-47760","affectedVersions":"\u003E=6.8.0,\u003C7.1.0","source":"GitHub","reportedAt":"2026-06-05 20:09:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mh5m-5hw4-5c69"}]}],"drupal\/core":[{"advisoryId":"PKSA-787q-p7fn-mcw7","packageName":"drupal\/core","remoteId":"GHSA-pw6f-3999-xp7g","title":"Drupal core allows Cross-Site Scripting (XSS)","link":"https:\/\/github.com\/advisories\/GHSA-pw6f-3999-xp7g","cve":"CVE-2026-6367","affectedVersions":"\u003E=11.3.0,\u003C11.3.7","source":"GitHub","reportedAt":"2026-05-20 00:31:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pw6f-3999-xp7g"}]},{"advisoryId":"PKSA-7kyj-yy4m-jzhv","packageName":"drupal\/core","remoteId":"GHSA-f3cj-mjqm-fhvj","title":"Drupal core is Vulnerable to Cross-Site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-f3cj-mjqm-fhvj","cve":"CVE-2026-6365","affectedVersions":"\u003E=11.3.0,\u003C11.3.7|\u003E=11.0.0,\u003C11.2.11|\u003E=10.6.0,\u003C10.6.7|\u003E=8.0.0,\u003C10.5.9","source":"GitHub","reportedAt":"2026-05-20 00:31:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f3cj-mjqm-fhvj"}]},{"advisoryId":"PKSA-j351-xv4b-pryh","packageName":"drupal\/core","remoteId":"GHSA-xmjc-63pr-2mpg","title":"Drupal core allows Object Injection","link":"https:\/\/github.com\/advisories\/GHSA-xmjc-63pr-2mpg","cve":"CVE-2026-6366","affectedVersions":"\u003E=11.3.0,\u003C11.3.7|\u003E=11.0.0,\u003C11.2.11|\u003E=10.6.0,\u003C10.6.7|\u003E=8.0.0,\u003C10.5.9","source":"GitHub","reportedAt":"2026-05-20 00:31:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xmjc-63pr-2mpg"}]}],"billabear\/billabear":[{"advisoryId":"PKSA-tks4-h5gc-8mrj","packageName":"billabear\/billabear","remoteId":"GHSA-xp6r-8pcc-xv5p","title":"BillaBear is Vulnerable to SQL Injection in the EventRepository","link":"https:\/\/github.com\/advisories\/GHSA-xp6r-8pcc-xv5p","cve":"CVE-2026-31069","affectedVersions":"\u003C=2025.01.03","source":"GitHub","reportedAt":"2026-05-19 18:32:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xp6r-8pcc-xv5p"}]}],"shopware\/core":[{"advisoryId":"PKSA-yt77-qm1k-2vvb","packageName":"shopware\/core","remoteId":"GHSA-7w52-7jvm-m9vw","title":"Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames","link":"https:\/\/github.com\/advisories\/GHSA-7w52-7jvm-m9vw","cve":"CVE-2026-48011","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-7w52-7jvm-m9vw"}]},{"advisoryId":"PKSA-xknd-fd7t-crfc","packageName":"shopware\/core","remoteId":"GHSA-4x3x-869w-xx3m","title":"Shopware SSO referer trust leading to an arbitrary redirect target","link":"https:\/\/github.com\/advisories\/GHSA-4x3x-869w-xx3m","cve":"CVE-2026-48012","affectedVersions":"\u003E=6.7.3.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:32:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4x3x-869w-xx3m"}]},{"advisoryId":"PKSA-rnpb-7fbj-phyz","packageName":"shopware\/core","remoteId":"GHSA-f8q6-3g5w-jjr6","title":"Shopware: Admin API ACL Bypass in Order State Transition Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-f8q6-3g5w-jjr6","cve":"CVE-2026-48014","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f8q6-3g5w-jjr6"}]},{"advisoryId":"PKSA-y5sy-w7mt-r97k","packageName":"shopware\/core","remoteId":"GHSA-9v5m-39wh-5chq","title":"Shopware: Unauthorized Payment Trigger for Foreign Orders via \/store-api\/handle-payment","link":"https:\/\/github.com\/advisories\/GHSA-9v5m-39wh-5chq","cve":"CVE-2026-48016","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9v5m-39wh-5chq"}]},{"advisoryId":"PKSA-qf56-zbmm-29m8","packageName":"shopware\/core","remoteId":"GHSA-xvhc-gm7j-mhmc","title":"Shopware: Stored XSS via SVG file upload \u2014 no SVG sanitization","link":"https:\/\/github.com\/advisories\/GHSA-xvhc-gm7j-mhmc","cve":"CVE-2026-48015","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:35:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xvhc-gm7j-mhmc"}]},{"advisoryId":"PKSA-9x83-17hb-ky3t","packageName":"shopware\/core","remoteId":"GHSA-gq96-5pfx-f4vc","title":"Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation","link":"https:\/\/github.com\/advisories\/GHSA-gq96-5pfx-f4vc","cve":"CVE-2026-48013","affectedVersions":"\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:36:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gq96-5pfx-f4vc"}]},{"advisoryId":"PKSA-zymb-qg2c-csgb","packageName":"shopware\/core","remoteId":"GHSA-gv8p-48fr-4fxg","title":"Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gv8p-48fr-4fxg","cve":"CVE-2026-48008","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:23:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gv8p-48fr-4fxg"}]},{"advisoryId":"PKSA-946b-qy3w-67d7","packageName":"shopware\/core","remoteId":"GHSA-8v9p-g828-v98f","title":"Shopware: Admin Account Takeover via User Recovery Hash Exposure","link":"https:\/\/github.com\/advisories\/GHSA-8v9p-g828-v98f","cve":"CVE-2026-48009","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:27:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8v9p-g828-v98f"}]},{"advisoryId":"PKSA-fstf-sh35-tmx7","packageName":"shopware\/core","remoteId":"GHSA-v39m-97p8-gqg7","title":"Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts","link":"https:\/\/github.com\/advisories\/GHSA-v39m-97p8-gqg7","cve":"CVE-2026-48010","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:28:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v39m-97p8-gqg7"}]}],"shopware\/platform":[{"advisoryId":"PKSA-xwkj-rryn-xz6v","packageName":"shopware\/platform","remoteId":"GHSA-7w52-7jvm-m9vw","title":"Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames","link":"https:\/\/github.com\/advisories\/GHSA-7w52-7jvm-m9vw","cve":"CVE-2026-48011","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-7w52-7jvm-m9vw"}]},{"advisoryId":"PKSA-54rn-sm9v-17vx","packageName":"shopware\/platform","remoteId":"GHSA-4x3x-869w-xx3m","title":"Shopware SSO referer trust leading to an arbitrary redirect target","link":"https:\/\/github.com\/advisories\/GHSA-4x3x-869w-xx3m","cve":"CVE-2026-48012","affectedVersions":"\u003E=6.7.3.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:32:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4x3x-869w-xx3m"}]},{"advisoryId":"PKSA-1xdm-446c-t7rz","packageName":"shopware\/platform","remoteId":"GHSA-f8q6-3g5w-jjr6","title":"Shopware: Admin API ACL Bypass in Order State Transition Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-f8q6-3g5w-jjr6","cve":"CVE-2026-48014","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f8q6-3g5w-jjr6"}]},{"advisoryId":"PKSA-6c8x-wdsy-zx17","packageName":"shopware\/platform","remoteId":"GHSA-9v5m-39wh-5chq","title":"Shopware: Unauthorized Payment Trigger for Foreign Orders via \/store-api\/handle-payment","link":"https:\/\/github.com\/advisories\/GHSA-9v5m-39wh-5chq","cve":"CVE-2026-48016","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9v5m-39wh-5chq"}]},{"advisoryId":"PKSA-xngt-2zh8-qhq6","packageName":"shopware\/platform","remoteId":"GHSA-xvhc-gm7j-mhmc","title":"Shopware: Stored XSS via SVG file upload \u2014 no SVG sanitization","link":"https:\/\/github.com\/advisories\/GHSA-xvhc-gm7j-mhmc","cve":"CVE-2026-48015","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:35:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xvhc-gm7j-mhmc"}]},{"advisoryId":"PKSA-yg4m-g48j-bdvp","packageName":"shopware\/platform","remoteId":"GHSA-gq96-5pfx-f4vc","title":"Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation","link":"https:\/\/github.com\/advisories\/GHSA-gq96-5pfx-f4vc","cve":"CVE-2026-48013","affectedVersions":"\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:36:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gq96-5pfx-f4vc"}]},{"advisoryId":"PKSA-b8bq-4ngt-d89p","packageName":"shopware\/platform","remoteId":"GHSA-gv8p-48fr-4fxg","title":"Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gv8p-48fr-4fxg","cve":"CVE-2026-48008","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:23:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gv8p-48fr-4fxg"}]},{"advisoryId":"PKSA-tk1x-h875-8y1s","packageName":"shopware\/platform","remoteId":"GHSA-8v9p-g828-v98f","title":"Shopware: Admin Account Takeover via User Recovery Hash Exposure","link":"https:\/\/github.com\/advisories\/GHSA-8v9p-g828-v98f","cve":"CVE-2026-48009","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:27:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8v9p-g828-v98f"}]},{"advisoryId":"PKSA-xbrd-fvys-3t24","packageName":"shopware\/platform","remoteId":"GHSA-v39m-97p8-gqg7","title":"Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts","link":"https:\/\/github.com\/advisories\/GHSA-v39m-97p8-gqg7","cve":"CVE-2026-48010","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:28:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v39m-97p8-gqg7"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-k9kk-fbnx-923m","packageName":"wwbn\/avideo","remoteId":"GHSA-2fhx-q92v-5fhv","title":"WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)","link":"https:\/\/github.com\/advisories\/GHSA-2fhx-q92v-5fhv","cve":"CVE-2026-49279","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:55:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2fhx-q92v-5fhv"}]},{"advisoryId":"PKSA-s76b-xf2h-zmsc","packageName":"wwbn\/avideo","remoteId":"GHSA-hgjh-6wj8-gcgf","title":"WWBN AVideo: Unauthenticated Reflected XSS via $_GET[\u0027search\u0027] in AVideo YouTubeAPI Gallery Pagination","link":"https:\/\/github.com\/advisories\/GHSA-hgjh-6wj8-gcgf","cve":"CVE-2026-50182","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:55:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hgjh-6wj8-gcgf"}]},{"advisoryId":"PKSA-qfq6-tncf-8grt","packageName":"wwbn\/avideo","remoteId":"GHSA-66q5-cj5g-wrfx","title":"WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section","link":"https:\/\/github.com\/advisories\/GHSA-66q5-cj5g-wrfx","cve":"CVE-2026-50183","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:56:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-66q5-cj5g-wrfx"}]},{"advisoryId":"PKSA-rftd-5wbt-6qx1","packageName":"wwbn\/avideo","remoteId":"GHSA-8whc-2wmv-ww35","title":"WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin","link":"https:\/\/github.com\/advisories\/GHSA-8whc-2wmv-ww35","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:57:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-8whc-2wmv-ww35"}]},{"advisoryId":"PKSA-4cz6-6cfv-8gy3","packageName":"wwbn\/avideo","remoteId":"GHSA-c8h8-vq34-9fw2","title":"WWBN AVideo: Stored XSS via unescaped Gallery category description","link":"https:\/\/github.com\/advisories\/GHSA-c8h8-vq34-9fw2","cve":"CVE-2026-47694","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:46:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c8h8-vq34-9fw2"}]},{"advisoryId":"PKSA-59k2-q697-bf8x","packageName":"wwbn\/avideo","remoteId":"GHSA-9392-pj54-qqf8","title":"WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint","link":"https:\/\/github.com\/advisories\/GHSA-9392-pj54-qqf8","cve":"CVE-2026-47696","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:47:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9392-pj54-qqf8"}]}],"easycorp\/easyadmin-bundle":[{"advisoryId":"PKSA-8yhb-cz5n-f41h","packageName":"easycorp\/easyadmin-bundle","remoteId":"easycorp\/easyadmin-bundle\/GHSA-8559-gwj3-q37r.yaml","title":"Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField","link":"https:\/\/github.com\/EasyCorp\/EasyAdminBundle\/security\/advisories\/GHSA-8559-gwj3-q37r","cve":null,"affectedVersions":"\u003E=5.0.0,\u003C5.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-04 06:43:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"easycorp\/easyadmin-bundle\/GHSA-8559-gwj3-q37r.yaml"}]},{"advisoryId":"PKSA-z6tn-c4hk-yb9y","packageName":"easycorp\/easyadmin-bundle","remoteId":"easycorp\/easyadmin-bundle\/GHSA-2wwr-9x6f-88gp.yaml","title":"Path traversal and reflected XSS in Flag and Icon Twig components","link":"https:\/\/github.com\/EasyCorp\/EasyAdminBundle\/security\/advisories\/GHSA-2wwr-9x6f-88gp","cve":null,"affectedVersions":"\u003E=4.0.0,\u003C4.29.10|\u003E=5.0.0,\u003C5.0.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-28 18:30:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"easycorp\/easyadmin-bundle\/GHSA-2wwr-9x6f-88gp.yaml"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-bhjh-v6gp-f43f","packageName":"froxlor\/froxlor","remoteId":"GHSA-f9rx-7wf7-jr36","title":"Froxlor\u0027s API Authentication bypasses 2FA Authentication","link":"https:\/\/github.com\/advisories\/GHSA-f9rx-7wf7-jr36","cve":null,"affectedVersions":"\u003C2.3.7","source":"GitHub","reportedAt":"2026-06-03 21:41:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f9rx-7wf7-jr36"}]},{"advisoryId":"PKSA-jryy-96vk-jczz","packageName":"froxlor\/froxlor","remoteId":"GHSA-37m5-m4q3-fc6x","title":"Froxlor: BIND Zone File Injection via TXT Record Content","link":"https:\/\/github.com\/advisories\/GHSA-37m5-m4q3-fc6x","cve":"CVE-2026-41234","affectedVersions":"\u003C=2.3.6","source":"GitHub","reportedAt":"2026-06-03 21:02:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-37m5-m4q3-fc6x"}]},{"advisoryId":"PKSA-vtjk-w45q-7qyz","packageName":"froxlor\/froxlor","remoteId":"GHSA-mq5v-pxpm-8jw2","title":"Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path","link":"https:\/\/github.com\/advisories\/GHSA-mq5v-pxpm-8jw2","cve":"CVE-2026-41236","affectedVersions":"=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:40:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mq5v-pxpm-8jw2"}]},{"advisoryId":"PKSA-sn72-k1q6-w5r5","packageName":"froxlor\/froxlor","remoteId":"GHSA-j6fm-9rfm-j5hx","title":"Froxlor has an incomplete fix for CVE-2026-30932","link":"https:\/\/github.com\/advisories\/GHSA-j6fm-9rfm-j5hx","cve":"CVE-2026-41237","affectedVersions":"\u003C=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:45:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j6fm-9rfm-j5hx"}]},{"advisoryId":"PKSA-yjh3-nghh-xpft","packageName":"froxlor\/froxlor","remoteId":"GHSA-gcv3-5v9q-fmhh","title":"Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement","link":"https:\/\/github.com\/advisories\/GHSA-gcv3-5v9q-fmhh","cve":"CVE-2026-41235","affectedVersions":"=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:36:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gcv3-5v9q-fmhh"}]}],"backpack\/crud":[{"advisoryId":"PKSA-8yrj-8khf-srxh","packageName":"backpack\/crud","remoteId":"GHSA-m8xx-3x29-84h8","title":"backpack\/crud is vulnerable to Cross-Site Scripting (XSS)","link":"https:\/\/github.com\/advisories\/GHSA-m8xx-3x29-84h8","cve":"CVE-2022-31114","affectedVersions":"\u003C4.0.63|\u003E=4.1.0,\u003C4.1.69|\u003E=5.0.0,\u003C5.0.13","source":"GitHub","reportedAt":"2026-06-03 20:25:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m8xx-3x29-84h8"}]}],"laravel\/framework":[{"advisoryId":"PKSA-mdq4-51ck-6kdq","packageName":"laravel\/framework","remoteId":"laravel\/framework\/CVE-2026-48019.yaml","title":"Laravel CRLF injection in default email rule","link":"https:\/\/github.com\/laravel\/framework\/security\/advisories\/GHSA-5vg9-5847-vvmq","cve":"CVE-2026-48019","affectedVersions":"\u003E=9.0.0,\u003C10.0.0|\u003E=10.0.0,\u003C11.0.0|\u003E=11.0.0,\u003C12.0.0|\u003E=12.0.0,\u003C12.60.0|\u003E=13.0.0,\u003C13.10.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 18:13:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"laravel\/framework\/CVE-2026-48019.yaml"}]}],"illuminate\/mail":[{"advisoryId":"PKSA-zwc5-qtrz-zm1n","packageName":"illuminate\/mail","remoteId":"illuminate\/mail\/CVE-2026-48019.yaml","title":"Laravel CRLF injection in default email rule","link":"https:\/\/github.com\/laravel\/framework\/security\/advisories\/GHSA-5vg9-5847-vvmq","cve":"CVE-2026-48019","affectedVersions":"\u003E=9.0.0,\u003C10.0.0|\u003E=10.0.0,\u003C11.0.0|\u003E=11.0.0,\u003C12.0.0|\u003E=12.0.0,\u003C12.60.0|\u003E=13.0.0,\u003C13.10.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 18:13:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"illuminate\/mail\/CVE-2026-48019.yaml"}]}],"verbb\/formie":[{"advisoryId":"PKSA-2h9w-qq3j-93vt","packageName":"verbb\/formie","remoteId":"GHSA-pgxq-p76c-x9cg","title":"formie\u0027s unauthenticated front-end submission editing can overwrite existing submissions","link":"https:\/\/github.com\/advisories\/GHSA-pgxq-p76c-x9cg","cve":"CVE-2026-47266","affectedVersions":"\u003C2.2.21|\u003E=3.0.0,\u003C3.1.26","source":"GitHub","reportedAt":"2026-05-29 22:19:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pgxq-p76c-x9cg"}]}],"admidio\/admidio":[{"advisoryId":"PKSA-7hzm-szv2-dny3","packageName":"admidio\/admidio","remoteId":"GHSA-xg76-5qj2-2hhv","title":"Admidio: CSRF in SSO client `enable` action toggles SAML\/OIDC clients without token validation","link":"https:\/\/github.com\/advisories\/GHSA-xg76-5qj2-2hhv","cve":"CVE-2026-47229","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:01:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xg76-5qj2-2hhv"}]},{"advisoryId":"PKSA-hs5n-pnrm-d3b9","packageName":"admidio\/admidio","remoteId":"GHSA-q6w3-hpfv-rg36","title":"Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders","link":"https:\/\/github.com\/advisories\/GHSA-q6w3-hpfv-rg36","cve":"CVE-2026-47230","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:05:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q6w3-hpfv-rg36"}]},{"advisoryId":"PKSA-3qmd-8hcr-xs96","packageName":"admidio\/admidio","remoteId":"GHSA-x628-457g-2pw9","title":"Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders","link":"https:\/\/github.com\/advisories\/GHSA-x628-457g-2pw9","cve":"CVE-2026-47231","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:06:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-x628-457g-2pw9"}]},{"advisoryId":"PKSA-94fb-rmqx-1b5r","packageName":"admidio\/admidio","remoteId":"GHSA-4rgq-38mh-9xqg","title":"Admidio PKCS#12 private key export action lacks CSRF protection","link":"https:\/\/github.com\/advisories\/GHSA-4rgq-38mh-9xqg","cve":"CVE-2026-47232","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:07:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4rgq-38mh-9xqg"}]},{"advisoryId":"PKSA-rcfv-x5hj-zr3k","packageName":"admidio\/admidio","remoteId":"GHSA-mch8-wf3h-6x88","title":"Admidio writes session IDs and auto-login cookie values to application logs","link":"https:\/\/github.com\/advisories\/GHSA-mch8-wf3h-6x88","cve":"CVE-2026-47234","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:07:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mch8-wf3h-6x88"}]},{"advisoryId":"PKSA-k742-4y2v-1nnc","packageName":"admidio\/admidio","remoteId":"GHSA-xw54-c3mx-9pm3","title":"Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` \u2014 incomplete fix of #2024","link":"https:\/\/github.com\/advisories\/GHSA-xw54-c3mx-9pm3","cve":"CVE-2026-47233","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 22:09:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xw54-c3mx-9pm3"}]},{"advisoryId":"PKSA-wkrr-fx7h-y1x9","packageName":"admidio\/admidio","remoteId":"GHSA-qc4c-hrmc-4f78","title":"Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges","link":"https:\/\/github.com\/advisories\/GHSA-qc4c-hrmc-4f78","cve":"CVE-2026-47226","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 21:54:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qc4c-hrmc-4f78"}]},{"advisoryId":"PKSA-34vw-5145-vh4w","packageName":"admidio\/admidio","remoteId":"GHSA-rwjr-qjj3-mq2f","title":"Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules\/categories.php`","link":"https:\/\/github.com\/advisories\/GHSA-rwjr-qjj3-mq2f","cve":"CVE-2026-47227","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 21:57:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rwjr-qjj3-mq2f"}]},{"advisoryId":"PKSA-z3z8-m2ny-zj6b","packageName":"admidio\/admidio","remoteId":"GHSA-mx25-j3rc-6w2w","title":"Admidio\u0027s CSRF in registration `send_login` mode resets arbitrary user passwords","link":"https:\/\/github.com\/advisories\/GHSA-mx25-j3rc-6w2w","cve":"CVE-2026-47228","affectedVersions":"\u003C=5.0.9","source":"GitHub","reportedAt":"2026-05-29 21:58:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mx25-j3rc-6w2w"}]}],"phanan\/koel":[{"advisoryId":"PKSA-bprq-tfgm-1hd2","packageName":"phanan\/koel","remoteId":"GHSA-7j2f-6h2r-6cqc","title":"Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs","link":"https:\/\/github.com\/advisories\/GHSA-7j2f-6h2r-6cqc","cve":"CVE-2026-47260","affectedVersions":"\u003C=9.3.4","source":"GitHub","reportedAt":"2026-05-29 19:56:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7j2f-6h2r-6cqc"}]}],"ezsystems\/ezpublish-legacy":[{"advisoryId":"PKSA-vrcj-tzjw-khtt","packageName":"ezsystems\/ezpublish-legacy","remoteId":"GHSA-xg9x-h37w-h3r3","title":"ezsystems\/ezpublish-legacy has a SQL injection in dfscleanup","link":"https:\/\/github.com\/advisories\/GHSA-xg9x-h37w-h3r3","cve":"CVE-2026-38739","affectedVersions":"=2019.03","source":"GitHub","reportedAt":"2026-05-29 19:07:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xg9x-h37w-h3r3"}]}],"symfony\/ux-live-component":[{"advisoryId":"PKSA-kwkg-rq7h-gh18","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49208.yaml","title":"symfony\/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-89g7-22c8-3j23","cve":"CVE-2026-49208","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49208.yaml"}]},{"advisoryId":"PKSA-tv34-cfvx-rr9r","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49209.yaml","title":"symfony\/ux-live-component Denial of service via unbounded batch action requests","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-mm82-c99c-h2cf","cve":"CVE-2026-49209","affectedVersions":"\u003E=2.5.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49209.yaml"}]},{"advisoryId":"PKSA-ks3q-z9y3-61pz","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49215.yaml","title":"symfony\/ux-live-component CSRF Protection Bypass: Accept Header is CORS-Safelisted","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-4m4j-hmqq-3gxm","cve":"CVE-2026-49215","affectedVersions":"\u003E=2.22.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49215.yaml"}]},{"advisoryId":"PKSA-87hx-5gp4-x12b","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49210.yaml","title":"symfony\/ux-live-component XSS via attacker-controlled child component tag","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-38x5-rcv4-xf7x","cve":"CVE-2026-49210","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49210.yaml"}]},{"advisoryId":"PKSA-wxdb-kw41-yhdy","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49212.yaml","title":"symfony\/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-34w5-c283-j9fg","cve":"CVE-2026-49212","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49212.yaml"}]}],"symfony\/ux-autocomplete":[{"advisoryId":"PKSA-q7f1-2s55-5c1z","packageName":"symfony\/ux-autocomplete","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49216.yaml","title":"symfony\/ux-autocomplete XSS via unescaped AJAX response data","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-mwqm-4fw3-cjvr","cve":"CVE-2026-49216","affectedVersions":"\u003E=2.2.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49216.yaml"}]},{"advisoryId":"PKSA-msh7-gxqk-k56q","packageName":"symfony\/ux-autocomplete","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49211.yaml","title":"symfony\/ux-autocomplete Information exposure via unescaped LIKE wildcards in EntitySearchUtil","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-946h-jp5c-8fvh","cve":"CVE-2026-49211","affectedVersions":"\u003E=2.2.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49211.yaml"}]}],"spatie\/schema-org":[{"advisoryId":"PKSA-6mmh-w4kg-c2xp","packageName":"spatie\/schema-org","remoteId":"spatie\/schema-org\/2026-04-20.yaml","title":"Cross-site scripting (XSS) via script break-out in toScript() output","link":"https:\/\/github.com\/spatie\/schema-org\/releases\/tag\/4.0.2","cve":null,"affectedVersions":"\u003E=3.23.1,\u003C3.23.2|\u003E=4.0.0,\u003C4.0.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-20 00:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"spatie\/schema-org\/2026-04-20.yaml"}]}],"symfony\/polyfill":[{"advisoryId":"PKSA-df53-cqz9-c3zn","packageName":"symfony\/polyfill","remoteId":"symfony\/polyfill\/CVE-2026-46644.yaml","title":"CVE-2026-46644: symfony\/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence","link":"https:\/\/symfony.com\/cve-2026-46644","cve":"CVE-2026-46644","affectedVersions":"\u003E=1.17.1,\u003C1.38.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-2xf4-cg6j-vhgq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/polyfill\/CVE-2026-46644.yaml"}]}],"symfony\/polyfill-intl-idn":[{"advisoryId":"PKSA-dwsq-ppd2-mb1x","packageName":"symfony\/polyfill-intl-idn","remoteId":"symfony\/polyfill-intl-idn\/CVE-2026-46644.yaml","title":"CVE-2026-46644: symfony\/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence","link":"https:\/\/symfony.com\/cve-2026-46644","cve":"CVE-2026-46644","affectedVersions":"\u003E=1.17.1,\u003C1.38.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-2xf4-cg6j-vhgq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/polyfill-intl-idn\/CVE-2026-46644.yaml"}]}],"tpwd\/ke_search":[{"advisoryId":"PKSA-cy57-p12b-t759","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml","title":"TYPO3-EXT-SA-2026-011: XML External Entity Injection in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46722","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003E=5.0.0,\u003C5.6.2|\u003C4.6.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml"}]},{"advisoryId":"PKSA-ybqg-nm5d-my8d","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml","title":"TYPO3-EXT-SA-2026-011: Path Traversal in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46724","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003E=5.0.0,\u003C5.6.2|\u003C4.6.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml"}]}],"georgringer\/news":[{"advisoryId":"PKSA-grgc-xpj3-tvw1","packageName":"georgringer\/news","remoteId":"georgringer\/news\/CVE-2026-8726.yaml","title":"SQL Injection in extension \u0022News system\u0022 (news)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-010","cve":"CVE-2026-8726","affectedVersions":"\u003C10.0.4|\u003E=11.0.0,\u003C11.4.4|\u003E=12.0.0,\u003C12.3.2|\u003E=13.0.0,\u003C13.0.2|\u003E=14.0.0,\u003C14.0.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 12:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"georgringer\/news\/CVE-2026-8726.yaml"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-64xv-jbdm-pg2q","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9qv9-8xv6-5p35","title":"phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation","link":"https:\/\/github.com\/advisories\/GHSA-9qv9-8xv6-5p35","cve":"CVE-2026-35676","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:45:53","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9qv9-8xv6-5p35"}]},{"advisoryId":"PKSA-ttcw-fg74-jv2w","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-xvp4-phqj-cjr3","title":"phpMyFAQ: IDOR Account Takeover ","link":"https:\/\/github.com\/advisories\/GHSA-xvp4-phqj-cjr3","cve":"CVE-2026-35671","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xvp4-phqj-cjr3"}]},{"advisoryId":"PKSA-jk8b-rmby-gztg","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gp95-j463-vv28","title":"phpMyFAQ: Default Empty API Token Authentication Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gp95-j463-vv28","cve":"CVE-2026-35672","affectedVersions":"\u003C=4.1.2","source":"GitHub","reportedAt":"2026-05-20 15:46:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gp95-j463-vv28"}]},{"advisoryId":"PKSA-x1b3-f9q9-1brm","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-w9xh-5f39-vq89","title":"phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username\/Email Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-w9xh-5f39-vq89","cve":"CVE-2026-35675","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w9xh-5f39-vq89"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-1ckg-7bmf-xkmp","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9qv9-8xv6-5p35","title":"phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation","link":"https:\/\/github.com\/advisories\/GHSA-9qv9-8xv6-5p35","cve":"CVE-2026-35676","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:45:53","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9qv9-8xv6-5p35"}]},{"advisoryId":"PKSA-vdjw-v652-d3d9","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-xvp4-phqj-cjr3","title":"phpMyFAQ: IDOR Account Takeover ","link":"https:\/\/github.com\/advisories\/GHSA-xvp4-phqj-cjr3","cve":"CVE-2026-35671","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xvp4-phqj-cjr3"}]},{"advisoryId":"PKSA-xr26-9czp-vbgk","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-gp95-j463-vv28","title":"phpMyFAQ: Default Empty API Token Authentication Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gp95-j463-vv28","cve":"CVE-2026-35672","affectedVersions":"\u003C=4.1.2","source":"GitHub","reportedAt":"2026-05-20 15:46:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gp95-j463-vv28"}]},{"advisoryId":"PKSA-527c-n963-c1j5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-w9xh-5f39-vq89","title":"phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username\/Email Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-w9xh-5f39-vq89","cve":"CVE-2026-35675","affectedVersions":"\u003C4.1.3","source":"GitHub","reportedAt":"2026-05-20 15:46:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w9xh-5f39-vq89"}]}],"symfony\/mailtrap-mailer":[{"advisoryId":"PKSA-n517-312t-6vqg","packageName":"symfony\/mailtrap-mailer","remoteId":"symfony\/mailtrap-mailer\/CVE-2026-45755.yaml","title":"CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45755","cve":"CVE-2026-45755","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-59f3-vp2f-mp9w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailtrap-mailer\/CVE-2026-45755.yaml"}]}],"symfony\/lox24-notifier":[{"advisoryId":"PKSA-675k-fhbn-1yh5","packageName":"symfony\/lox24-notifier","remoteId":"symfony\/lox24-notifier\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-64hg-93w9-fc35"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/lox24-notifier\/CVE-2026-45754.yaml"}]}],"symfony\/mailjet-mailer":[{"advisoryId":"PKSA-swxr-w76k-fd2b","packageName":"symfony\/mailjet-mailer","remoteId":"symfony\/mailjet-mailer\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-64hg-93w9-fc35"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailjet-mailer\/CVE-2026-45754.yaml"}]}],"symfony\/symfony":[{"advisoryId":"PKSA-kp1y-8sfh-4r87","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45753.yaml","title":"CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action\/formaction\/poster\/cite: javascript: URI Survives Sanitization (XSS)","link":"https:\/\/symfony.com\/cve-2026-45753","cve":"CVE-2026-45753","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hhg7-c65m-h7ff"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45753.yaml"}]},{"advisoryId":"PKSA-3ds8-wrg2-pjdq","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45754.yaml","title":"CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45754","cve":"CVE-2026-45754","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-64hg-93w9-fc35"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45754.yaml"}]},{"advisoryId":"PKSA-rgzg-p3v4-grbh","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-47212.yaml","title":"CVE-2026-47212: Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-47212","cve":"CVE-2026-47212","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-55rj-x2vc-4whq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-47212.yaml"}]},{"advisoryId":"PKSA-94ry-294g-7bbc","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45756.yaml","title":"CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()\/search() Without Limits: ReDoS","link":"https:\/\/symfony.com\/cve-2026-45756","cve":"CVE-2026-45756","affectedVersions":"\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-8v8v-g73j-492j"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45756.yaml"}]},{"advisoryId":"PKSA-1jhn-nv8n-vjk2","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45755.yaml","title":"CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-45755","cve":"CVE-2026-45755","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-59f3-vp2f-mp9w"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45755.yaml"}]}],"symfony\/twilio-notifier":[{"advisoryId":"PKSA-fgw6-3k5j-cfkn","packageName":"symfony\/twilio-notifier","remoteId":"symfony\/twilio-notifier\/CVE-2026-47212.yaml","title":"CVE-2026-47212: Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection","link":"https:\/\/symfony.com\/cve-2026-47212","cve":"CVE-2026-47212","affectedVersions":"\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-55rj-x2vc-4whq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/twilio-notifier\/CVE-2026-47212.yaml"}]}],"symfony\/json-path":[{"advisoryId":"PKSA-rj1d-mpts-8wrt","packageName":"symfony\/json-path","remoteId":"symfony\/json-path\/CVE-2026-45756.yaml","title":"CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()\/search() Without Limits: ReDoS","link":"https:\/\/symfony.com\/cve-2026-45756","cve":"CVE-2026-45756","affectedVersions":"\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-8v8v-g73j-492j"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/json-path\/CVE-2026-45756.yaml"}]}],"symfony\/html-sanitizer":[{"advisoryId":"PKSA-q2wy-m7mz-kg58","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-45753.yaml","title":"CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action\/formaction\/poster\/cite: javascript: URI Survives Sanitization (XSS)","link":"https:\/\/symfony.com\/cve-2026-45753","cve":"CVE-2026-45753","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.40|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hhg7-c65m-h7ff"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-45753.yaml"}]}],"twig\/twig":[{"advisoryId":"PKSA-wwb1-81rc-pd65","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-47730.yaml","title":"XSS in profiler HtmlDumper via unescaped template and profile names","link":"https:\/\/symfony.com\/cve-2026-47730","cve":"CVE-2026-47730","affectedVersions":"\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-2g2g-8p8h-fgwm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-47730.yaml"}]},{"advisoryId":"PKSA-gw7n-z4yx-7xjt","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-24425.yaml","title":"Possible sandbox bypass when using a source policy","link":"https:\/\/symfony.com\/cve-2026-24425","cve":"CVE-2026-24425","affectedVersions":"\u003E=2.16.0,\u003C3.0.0|\u003E=3.9.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2q52-x2ff-qgfr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-24425.yaml"}]},{"advisoryId":"PKSA-dpx1-78wg-1kqs","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-47732.yaml","title":"Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points","link":"https:\/\/symfony.com\/cve-2026-47732","cve":"CVE-2026-47732","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pr2w-4gpj-cpq4"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-47732.yaml"}]}],"pimcore\/pimcore":[{"advisoryId":"PKSA-vp19-ydt7-tws9","packageName":"pimcore\/pimcore","remoteId":"GHSA-r2f4-ff2p-xc64","title":"Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import\/save","link":"https:\/\/github.com\/advisories\/GHSA-r2f4-ff2p-xc64","cve":"CVE-2026-5394","affectedVersions":"\u003C=12.3.6","source":"GitHub","reportedAt":"2026-05-28 20:47:10","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r2f4-ff2p-xc64"}]}]}}