{"advisories":{"concrete5\/concrete5":[{"advisoryId":"PKSA-9s3m-thqq-9cfd","packageName":"concrete5\/concrete5","remoteId":"GHSA-xj25-753j-wgp9","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/dialog\/express\/association\/reorder","link":"https:\/\/github.com\/advisories\/GHSA-xj25-753j-wgp9","cve":"CVE-2026-8415","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-xj25-753j-wgp9"}]},{"advisoryId":"PKSA-4vdj-385c-kbs8","packageName":"concrete5\/concrete5","remoteId":"GHSA-qj94-6rx6-27fr","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/backend\/file addFavoriteFolder($id)","link":"https:\/\/github.com\/advisories\/GHSA-qj94-6rx6-27fr","cve":"CVE-2026-8416","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-qj94-6rx6-27fr"}]},{"advisoryId":"PKSA-d6mg-vz5r-sfbf","packageName":"concrete5\/concrete5","remoteId":"GHSA-67hj-8239-cmf5","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/backend\/file removeFavoriteFolder($id)","link":"https:\/\/github.com\/advisories\/GHSA-67hj-8239-cmf5","cve":"CVE-2026-8427","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-67hj-8239-cmf5"}]},{"advisoryId":"PKSA-q99w-2v6k-kwsc","packageName":"concrete5\/concrete5","remoteId":"GHSA-97jw-gr4m-c5v8","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/backend\/file star()","link":"https:\/\/github.com\/advisories\/GHSA-97jw-gr4m-c5v8","cve":"CVE-2026-8432","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-97jw-gr4m-c5v8"}]},{"advisoryId":"PKSA-1cn3-6pmf-71hx","packageName":"concrete5\/concrete5","remoteId":"GHSA-6fxm-r8p3-mx5c","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/backend\/file rescan()","link":"https:\/\/github.com\/advisories\/GHSA-6fxm-r8p3-mx5c","cve":"CVE-2026-8433","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-6fxm-r8p3-mx5c"}]},{"advisoryId":"PKSA-15g8-fcvm-qwvy","packageName":"concrete5\/concrete5","remoteId":"GHSA-6qjh-p324-694f","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/backend\/file rescanMultiple()","link":"https:\/\/github.com\/advisories\/GHSA-6qjh-p324-694f","cve":"CVE-2026-8434","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-6qjh-p324-694f"}]},{"advisoryId":"PKSA-54fw-f2r8-pxcd","packageName":"concrete5\/concrete5","remoteId":"GHSA-44q4-354f-c826","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/backend\/file approveVersion()","link":"https:\/\/github.com\/advisories\/GHSA-44q4-354f-c826","cve":"CVE-2026-8435","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-44q4-354f-c826"}]},{"advisoryId":"PKSA-5dbv-8tcv-hjg5","packageName":"concrete5\/concrete5","remoteId":"GHSA-wmw3-3fv3-h54w","title":"Concrete CMS has a session-hardening bypass and allows password change without reauthorization","link":"https:\/\/github.com\/advisories\/GHSA-wmw3-3fv3-h54w","cve":"CVE-2026-8327","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wmw3-3fv3-h54w"}]},{"advisoryId":"PKSA-9rx2-25z1-q5pv","packageName":"concrete5\/concrete5","remoteId":"GHSA-f73j-pm2c-rxvr","title":"Concrete CMS is Vulnerable to Reflected XSS in Legacy Pagination","link":"https:\/\/github.com\/advisories\/GHSA-f73j-pm2c-rxvr","cve":"CVE-2026-8245","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f73j-pm2c-rxvr"}]},{"advisoryId":"PKSA-td7z-y5jc-79yq","packageName":"concrete5\/concrete5","remoteId":"GHSA-f54h-78c9-c24h","title":"Concrete CMS: OAuth 2.0 Authorization-Code Handler Bypasses Account Status","link":"https:\/\/github.com\/advisories\/GHSA-f54h-78c9-c24h","cve":"CVE-2026-7887","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-f54h-78c9-c24h"}]},{"advisoryId":"PKSA-wqcg-9fxw-b667","packageName":"concrete5\/concrete5","remoteId":"GHSA-8c7c-h7px-267g","title":"Concrete CMS is vulnerable to IDOR in surveys","link":"https:\/\/github.com\/advisories\/GHSA-8c7c-h7px-267g","cve":"CVE-2026-8337","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8c7c-h7px-267g"}]},{"advisoryId":"PKSA-qzg4-w3py-ddfh","packageName":"concrete5\/concrete5","remoteId":"GHSA-56c9-xq5g-xrf9","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/dialog\/logs\/delete","link":"https:\/\/github.com\/advisories\/GHSA-56c9-xq5g-xrf9","cve":"CVE-2026-8409","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-56c9-xq5g-xrf9"}]},{"advisoryId":"PKSA-x9hx-5ky4-cyz2","packageName":"concrete5\/concrete5","remoteId":"GHSA-v7c7-658v-hh7v","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/dialog\/logs\/bulk\/delete","link":"https:\/\/github.com\/advisories\/GHSA-v7c7-658v-hh7v","cve":"CVE-2026-8410","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-v7c7-658v-hh7v"}]},{"advisoryId":"PKSA-ngsw-3psq-jryj","packageName":"concrete5\/concrete5","remoteId":"GHSA-752x-23hp-jmv6","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/dialog\/page\/bulk\/delete","link":"https:\/\/github.com\/advisories\/GHSA-752x-23hp-jmv6","cve":"CVE-2026-8411","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-752x-23hp-jmv6"}]},{"advisoryId":"PKSA-ks9q-hdsh-jhd2","packageName":"concrete5\/concrete5","remoteId":"GHSA-rv3q-xmfw-mcjv","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/dialog\/page\/bulk\/cache","link":"https:\/\/github.com\/advisories\/GHSA-rv3q-xmfw-mcjv","cve":"CVE-2026-8412","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rv3q-xmfw-mcjv"}]},{"advisoryId":"PKSA-9yjm-r5x4-kcxv","packageName":"concrete5\/concrete5","remoteId":"GHSA-98qf-jvwj-2r5f","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/dialog\/event\/duplicate","link":"https:\/\/github.com\/advisories\/GHSA-98qf-jvwj-2r5f","cve":"CVE-2026-8414","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-98qf-jvwj-2r5f"}]},{"advisoryId":"PKSA-jszb-q2pk-2pw4","packageName":"concrete5\/concrete5","remoteId":"GHSA-mpq2-mv8p-9wm6","title":"Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete\/controllers\/dialog\/page\/bulk\/design","link":"https:\/\/github.com\/advisories\/GHSA-mpq2-mv8p-9wm6","cve":"CVE-2026-8413","affectedVersions":"\u003E=9.0.0RC1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-mpq2-mv8p-9wm6"}]},{"advisoryId":"PKSA-9c7x-8d4g-nf5y","packageName":"concrete5\/concrete5","remoteId":"GHSA-gjwq-9v8p-47w7","title":"Concrete CMS\u0027s RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation","link":"https:\/\/github.com\/advisories\/GHSA-gjwq-9v8p-47w7","cve":"CVE-2026-7890","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-gjwq-9v8p-47w7"}]},{"advisoryId":"PKSA-5hj9-8591-58xc","packageName":"concrete5\/concrete5","remoteId":"GHSA-pcrh-gj77-j4mw","title":"Concrete CMS is vulnerable to Stored XSS via external-link page cvName","link":"https:\/\/github.com\/advisories\/GHSA-pcrh-gj77-j4mw","cve":"CVE-2026-8139","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-pcrh-gj77-j4mw"}]},{"advisoryId":"PKSA-c22k-ckrz-mqyc","packageName":"concrete5\/concrete5","remoteId":"GHSA-58c8-vvqw-cm7m","title":"Concrete CMS is vulnerable to IDOR combined with a missing authentication gate","link":"https:\/\/github.com\/advisories\/GHSA-58c8-vvqw-cm7m","cve":"CVE-2026-8236","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-58c8-vvqw-cm7m"}]},{"advisoryId":"PKSA-xbvd-x9c6-831x","packageName":"concrete5\/concrete5","remoteId":"GHSA-xpgc-7vc2-8725","title":"Concrete CMS is vulnerable to IDOR","link":"https:\/\/github.com\/advisories\/GHSA-xpgc-7vc2-8725","cve":"CVE-2026-8237","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xpgc-7vc2-8725"}]},{"advisoryId":"PKSA-5sc7-fzk2-kdbh","packageName":"concrete5\/concrete5","remoteId":"GHSA-qv3x-mffx-9gw8","title":"Concrete CMS is vulnerable to IDOR","link":"https:\/\/github.com\/advisories\/GHSA-qv3x-mffx-9gw8","cve":"CVE-2026-8238","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qv3x-mffx-9gw8"}]},{"advisoryId":"PKSA-7cdm-s319-44x4","packageName":"concrete5\/concrete5","remoteId":"GHSA-2xp7-rpvc-pjwc","title":"Concrete CMS is vulnerable to IDOR","link":"https:\/\/github.com\/advisories\/GHSA-2xp7-rpvc-pjwc","cve":"CVE-2026-8239","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2xp7-rpvc-pjwc"}]},{"advisoryId":"PKSA-d421-dyhx-r37b","packageName":"concrete5\/concrete5","remoteId":"GHSA-vpgr-cwfx-pwfw","title":"Concrete CMS is\u00a0vulnerable to unauthenticated page metadata disclosure","link":"https:\/\/github.com\/advisories\/GHSA-vpgr-cwfx-pwfw","cve":"CVE-2026-8240","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vpgr-cwfx-pwfw"}]},{"advisoryId":"PKSA-bbrg-6bt9-f5br","packageName":"concrete5\/concrete5","remoteId":"GHSA-chfm-cm6h-q5x7","title":"Concrete CMS is subject to\u00a0Insecure Direct Object Reference\u00a0(IDOR) in the Express Entry Detail block","link":"https:\/\/github.com\/advisories\/GHSA-chfm-cm6h-q5x7","cve":"CVE-2026-7881","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-chfm-cm6h-q5x7"}]},{"advisoryId":"PKSA-frbf-6y2c-qxdh","packageName":"concrete5\/concrete5","remoteId":"GHSA-p8p9-5953-h9jw","title":"Concrete CMS is vulnerable to\u00a0IDOR in AddMessage\/UpdateMessage","link":"https:\/\/github.com\/advisories\/GHSA-p8p9-5953-h9jw","cve":"CVE-2026-7886","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-p8p9-5953-h9jw"}]},{"advisoryId":"PKSA-ppz6-swp7-nf1t","packageName":"concrete5\/concrete5","remoteId":"GHSA-fqg3-8w8r-8g94","title":"Concrete CMS has an unauthorized file access issue","link":"https:\/\/github.com\/advisories\/GHSA-fqg3-8w8r-8g94","cve":"CVE-2026-7879","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fqg3-8w8r-8g94"}]},{"advisoryId":"PKSA-fxgv-rp7s-m994","packageName":"concrete5\/concrete5","remoteId":"GHSA-66rg-92q4-6m8q","title":"Concrete CMS is vulnerable to unauthorized file deletion","link":"https:\/\/github.com\/advisories\/GHSA-66rg-92q4-6m8q","cve":"CVE-2026-7882","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-22 00:31:16","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-66rg-92q4-6m8q"}]},{"advisoryId":"PKSA-ftn7-4ynj-kvdm","packageName":"concrete5\/concrete5","remoteId":"GHSA-4c8m-6fwx-m7xq","title":"Concrete CMS contains a CSRF vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-4c8m-6fwx-m7xq","cve":"CVE-2026-8421","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4c8m-6fwx-m7xq"}]},{"advisoryId":"PKSA-fqsc-qq8z-j29z","packageName":"concrete5\/concrete5","remoteId":"GHSA-prxr-vjgc-2cq9","title":"Concrete CMS is Vulnerable to Cross-Site Request Forgery","link":"https:\/\/github.com\/advisories\/GHSA-prxr-vjgc-2cq9","cve":"CVE-2026-8428","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-prxr-vjgc-2cq9"}]},{"advisoryId":"PKSA-8c12-5257-gxrx","packageName":"concrete5\/concrete5","remoteId":"GHSA-jr5g-qv3g-rxxx","title":"Concrete does not validate a CSRF token before processing requests to `\/dashboard\/extend\/update\/do_update\/\u003CpkgHandle\u003E`","link":"https:\/\/github.com\/advisories\/GHSA-jr5g-qv3g-rxxx","cve":"CVE-2026-8417","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jr5g-qv3g-rxxx"}]},{"advisoryId":"PKSA-4c8s-p3cg-97tt","packageName":"concrete5\/concrete5","remoteId":"GHSA-9v2g-37mp-qpxf","title":"Concrete CMS has Stored XSS through its height parameter","link":"https:\/\/github.com\/advisories\/GHSA-9v2g-37mp-qpxf","cve":"CVE-2026-8203","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9v2g-37mp-qpxf"}]},{"advisoryId":"PKSA-vtsr-51yz-qsq4","packageName":"concrete5\/concrete5","remoteId":"GHSA-x2fp-hj8c-mmxh","title":"Concrete CMS is vulnerable to authorization bypass in the Calendar Event Frontend Dialog","link":"https:\/\/github.com\/advisories\/GHSA-x2fp-hj8c-mmxh","cve":"CVE-2026-8204","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x2fp-hj8c-mmxh"}]},{"advisoryId":"PKSA-tftp-4vyz-vsqv","packageName":"concrete5\/concrete5","remoteId":"GHSA-46xh-7854-f568","title":"Concrete CMS is vulnerable to authorization bypass in the Calendar Block","link":"https:\/\/github.com\/advisories\/GHSA-46xh-7854-f568","cve":"CVE-2026-8205","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-46xh-7854-f568"}]},{"advisoryId":"PKSA-bks2-z4jr-2jcs","packageName":"concrete5\/concrete5","remoteId":"GHSA-g7xp-jf3x-wcx4","title":"Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php","link":"https:\/\/github.com\/advisories\/GHSA-g7xp-jf3x-wcx4","cve":"CVE-2026-8350","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-g7xp-jf3x-wcx4"}]},{"advisoryId":"PKSA-61mc-443r-dbcf","packageName":"concrete5\/concrete5","remoteId":"GHSA-5rj5-gfmr-hrc3","title":"Concrete CMS does not validate a CSRF token before processing requests to `\/dashboard\/extend\/update\/prepare_remote_upgrade\/\u003CremoteMPID\u003E`","link":"https:\/\/github.com\/advisories\/GHSA-5rj5-gfmr-hrc3","cve":"CVE-2026-8426","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5rj5-gfmr-hrc3"}]},{"advisoryId":"PKSA-k9dr-8j28-xxx4","packageName":"concrete5\/concrete5","remoteId":"GHSA-h72c-xx3w-w8h7","title":"Concrete CMS is vulnerable to Stored XSS via OAuth integration name","link":"https:\/\/github.com\/advisories\/GHSA-h72c-xx3w-w8h7","cve":"CVE-2026-8197","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-h72c-xx3w-w8h7"}]},{"advisoryId":"PKSA-sqtt-5khz-wksh","packageName":"concrete5\/concrete5","remoteId":"GHSA-645j-cm4x-3xvw","title":"Concrete CMS Vulnerable to Relative Path Traversal","link":"https:\/\/github.com\/advisories\/GHSA-645j-cm4x-3xvw","cve":"CVE-2026-8134","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:37","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-645j-cm4x-3xvw"}]},{"advisoryId":"PKSA-xn4v-f846-x248","packageName":"concrete5\/concrete5","remoteId":"GHSA-4g7q-44qp-cc5c","title":"Concrete CMS is vulnerable to\u00a0unauthenticated file usage disclosure","link":"https:\/\/github.com\/advisories\/GHSA-4g7q-44qp-cc5c","cve":"CVE-2026-6826","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4g7q-44qp-cc5c"}]},{"advisoryId":"PKSA-wrt6-mxyh-dqd1","packageName":"concrete5\/concrete5","remoteId":"GHSA-pv2v-6w2v-97x6","title":"Concrete CMS Vulnerable to Deserialization of Untrusted Data","link":"https:\/\/github.com\/advisories\/GHSA-pv2v-6w2v-97x6","cve":"CVE-2026-8135","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pv2v-6w2v-97x6"}]},{"advisoryId":"PKSA-krdd-qg62-29s4","packageName":"concrete5\/concrete5","remoteId":"GHSA-r42c-3rr2-jrfp","title":"Concrete CMS is Vulnerable to Cross-Site Request Forgery","link":"https:\/\/github.com\/advisories\/GHSA-r42c-3rr2-jrfp","cve":"CVE-2026-8140","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-21 21:30:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r42c-3rr2-jrfp"}]}],"symbiote\/silverstripe-advancedworkflow":[{"advisoryId":"PKSA-x4kf-7gbb-fh93","packageName":"symbiote\/silverstripe-advancedworkflow","remoteId":"symbiote\/silverstripe-advancedworkflow\/CVE-2026-54718.yaml","title":"CVE-2026-54718 - Remote code execution via advanced workflow email template","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/cve-2026-54718","cve":"CVE-2026-54718","affectedVersions":"\u003C6.4.5|\u003E=7.0.0,\u003C7.1.3|\u003E=7.2.0,\u003C7.2.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-24 04:12:03","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"symbiote\/silverstripe-advancedworkflow\/CVE-2026-54718.yaml"}]}],"silverstripe\/cms":[{"advisoryId":"PKSA-pjvm-vnw2-n3m2","packageName":"silverstripe\/cms","remoteId":"silverstripe\/cms\/CVE-2026-54717.yaml","title":"CVE-2026-54717 - XSS in breadcrumbs in page list view","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/cve-2026-54717","cve":"CVE-2026-54717","affectedVersions":"\u003C6.2.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-24 02:39:20","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/cms\/CVE-2026-54717.yaml"}]},{"advisoryId":"PKSA-pvwk-bm9n-rprc","packageName":"silverstripe\/cms","remoteId":"silverstripe\/cms\/SS-2015-005-1.yaml","title":"SS-2015-005: VirtualPage XSS","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-005\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-02-12 15:55:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3mm9-2p44-rw39"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/cms\/SS-2015-005-1.yaml"}]},{"advisoryId":"PKSA-d3xv-chbr-ng6f","packageName":"silverstripe\/cms","remoteId":"silverstripe\/cms\/SS-2015-003-1.yaml","title":"SS-2015-003: History XSS Vulnerability","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-003\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-02-12 15:55:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r97r-64vp-fghm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/cms\/SS-2015-003-1.yaml"}]},{"advisoryId":"PKSA-tbcz-9q2k-1r4f","packageName":"silverstripe\/cms","remoteId":"silverstripe\/cms\/SS-2015-008-1.yaml","title":"SS-2015-008: SiteTree Creation Permission Vulnerability","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-008-sitetree-creation-permission-vulnerability\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.12|\u003E=3.1.0,\u003C3.1.11","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-03-19 16:54:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6hh6-59j2-qrxw"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/cms\/SS-2015-008-1.yaml"}]}],"silverstripe\/versioned":[{"advisoryId":"PKSA-nksq-cxj8-zb32","packageName":"silverstripe\/versioned","remoteId":"silverstripe\/versioned\/CVE-2026-55779.yaml","title":"CVE-2026-55779 - XSS in archive admin restore","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/cve-2026-55779","cve":"CVE-2026-55779","affectedVersions":"\u003C3.2.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-24 02:53:49","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/versioned\/CVE-2026-55779.yaml"}]}],"silverstripe\/framework":[{"advisoryId":"PKSA-x6tz-s6v3-ynk3","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/CVE-2026-54720.yaml","title":"CVE-2026-54720 - XSS attack through media embed","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/cve-2026-54720","cve":"CVE-2026-54720","affectedVersions":"\u003C6.2.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-24 02:45:19","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/CVE-2026-54720.yaml"}]},{"advisoryId":"PKSA-wt32-ns28-f45d","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-014-1.yaml","title":"SS-2015-014: Vulnerability on \u0027isDev\u0027, \u0027isTest\u0027 and \u0027flush\u0027 $_GET validation","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-014\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.14|\u003E=3.1.0,\u003C3.1.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-05-28 13:05:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-ph62-fv59-vf9h"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-014-1.yaml"}]},{"advisoryId":"PKSA-td9q-mf48-mqpm","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-012-1.yaml","title":"SS-2015-012: External redirection risk in Security?ReturnURL","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-012\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.14|\u003E=3.1.0,\u003C3.1.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-05-25 14:52:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xx4r-5265-48j6"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-012-1.yaml"}]},{"advisoryId":"PKSA-bkm6-5mwx-3kd3","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-011-1.yaml","title":"SS-2015-011: Potential SQL Injection Vulnerability","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-011\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.14|\u003E=3.1.0,\u003C3.1.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-05-25 10:52:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7m2v-x7rg-5hm5"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-011-1.yaml"}]},{"advisoryId":"PKSA-bnbw-tbzq-5ykk","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2016-003-1.yaml","title":"SS-2016-003: Hostname, IP and Protocol Spoofing through HTTP Headers","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2016-003\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.17|\u003E=3.2.0,\u003C3.2.2|\u003E3.2,\u003C3.3.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-02-18 11:05:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r85g-7jpv-8xrx"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2016-003-1.yaml"}]},{"advisoryId":"PKSA-gg94-wpcm-tbtp","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2016-002-1.yaml","title":"SS-2016-002: CSRF vulnerability in GridFieldAddExistingAutocompleter","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2016-002\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.17|\u003E=3.2.0,\u003C3.2.2|\u003E3.2,\u003C3.3.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-02-17 17:50:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g84q-cq55-xwgp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2016-002-1.yaml"}]},{"advisoryId":"PKSA-z1m7-vnpc-524q","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-009-1.yaml","title":"SS-2015-009: XSS In rewritten hash links","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-009-xss-in-rewritten-hash-links\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.13|\u003E=3.1.0,\u003C3.1.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-03-20 14:57:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-5r8w-66hq-rc39"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-009-1.yaml"}]},{"advisoryId":"PKSA-xhsq-x1jb-f31d","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2014-017-1.yaml","title":"SS-2014-017: XML Quadratic Blowup Attack","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2014-017-xml-quadratic-blowup-attack\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2014-08-12 11:50:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-87pf-7x99-5xc4"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2014-017-1.yaml"}]},{"advisoryId":"PKSA-4b5m-tw4q-3fmq","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-004-1.yaml","title":"SS-2015-004: TreeDropdownField and TreeMultiSelectField XSS","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-004\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-02-12 15:55:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qp29-wcc2-vmpc"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-004-1.yaml"}]},{"advisoryId":"PKSA-dwpn-yczp-hpvw","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2014-015-1.yaml","title":"SS-2014-015: IE requests not properly behaving with rewritehashlinks","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2014-015-ie-requests-not-properly-behaving-with-rewritehashlinks\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.13|\u003E=3.1.0,\u003C3.1.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-03-20 12:10:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-34q6-xqxh-gq39"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2014-015-1.yaml"}]},{"advisoryId":"PKSA-tdvc-fx4y-y9yf","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-028-1.yaml","title":"SS-2015-028: Missing security check on dev\/build\/defaults","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2015-028\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.17|\u003E=3.2.0,\u003C3.2.2|\u003E3.2,\u003C3.3.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-02-17 17:55:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4h54-vwx9-3vr3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-028-1.yaml"}]},{"advisoryId":"PKSA-r8bz-4tyw-cqq7","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-007-1.yaml","title":"SS-2015-007: XSS In FormAction","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-007\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-02-12 15:55:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-88jp-9jrv-6368"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-007-1.yaml"}]}],"silverstripe\/userforms":[{"advisoryId":"PKSA-g6zg-78xs-c8r8","packageName":"silverstripe\/userforms","remoteId":"silverstripe\/userforms\/CVE-2026-54721.yaml","title":"CVE-2026-54721 - Remote code execution via userforms email subject","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/cve-2026-54721","cve":"CVE-2026-54721","affectedVersions":"\u003C6.4.9|\u003E=7.0.0,\u003C7.0.7|\u003E=7.1.0,\u003C7.1.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-24 04:05:09","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/userforms\/CVE-2026-54721.yaml"}]}],"snipe\/snipe-it":[{"advisoryId":"PKSA-k6ph-vwdz-djyn","packageName":"snipe\/snipe-it","remoteId":"GHSA-6mmj-jhqj-6c6q","title":"Snipe-IT\u0027s S3 signature image retrieval lacks authorization before temporary URL ","link":"https:\/\/github.com\/advisories\/GHSA-6mmj-jhqj-6c6q","cve":"CVE-2026-55542","affectedVersions":"\u003C=8.5.0","source":"GitHub","reportedAt":"2026-06-23 23:11:26","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-6mmj-jhqj-6c6q"}]},{"advisoryId":"PKSA-2tsw-c1yg-xhyc","packageName":"snipe\/snipe-it","remoteId":"GHSA-pwpj-p52h-q484","title":"Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection","link":"https:\/\/github.com\/advisories\/GHSA-pwpj-p52h-q484","cve":"CVE-2026-54329","affectedVersions":"\u003C=8.6.1","source":"GitHub","reportedAt":"2026-06-23 23:12:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pwpj-p52h-q484"}]},{"advisoryId":"PKSA-sr4q-gvr6-k14n","packageName":"snipe\/snipe-it","remoteId":"GHSA-p68w-rgmg-3c2v","title":"Snipe-IT Vulnerable to User Account Escalation via CSV Import","link":"https:\/\/github.com\/advisories\/GHSA-p68w-rgmg-3c2v","cve":"CVE-2026-49976","affectedVersions":"\u003C8.6.0","source":"GitHub","reportedAt":"2026-06-23 23:02:03","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-p68w-rgmg-3c2v"}]},{"advisoryId":"PKSA-xjxm-8vz6-vf8y","packageName":"snipe\/snipe-it","remoteId":"GHSA-6x4j-8954-5hxm","title":"Snipe-IT has a 2FA reset privilege bypass","link":"https:\/\/github.com\/advisories\/GHSA-6x4j-8954-5hxm","cve":"CVE-2026-50550","affectedVersions":"\u003C8.5.0","source":"GitHub","reportedAt":"2026-06-23 23:03:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6x4j-8954-5hxm"}]},{"advisoryId":"PKSA-44m9-kxcv-rmgf","packageName":"snipe\/snipe-it","remoteId":"GHSA-33g4-646g-qwmm","title":"Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update","link":"https:\/\/github.com\/advisories\/GHSA-33g4-646g-qwmm","cve":"CVE-2026-55482","affectedVersions":"\u003C=8.4.1","source":"GitHub","reportedAt":"2026-06-23 23:03:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-33g4-646g-qwmm"}]},{"advisoryId":"PKSA-nhdc-dm5c-gkjd","packageName":"snipe\/snipe-it","remoteId":"GHSA-hf68-g98v-wp9g","title":"Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation","link":"https:\/\/github.com\/advisories\/GHSA-hf68-g98v-wp9g","cve":"CVE-2026-55483","affectedVersions":"\u003C8.6.0","source":"GitHub","reportedAt":"2026-06-23 23:06:18","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hf68-g98v-wp9g"}]},{"advisoryId":"PKSA-dfjb-vj14-j26x","packageName":"snipe\/snipe-it","remoteId":"GHSA-x667-r589-43m7","title":"Snipe-IT has Improper Authorization in File Deletion (IDOR)","link":"https:\/\/github.com\/advisories\/GHSA-x667-r589-43m7","cve":"CVE-2026-55519","affectedVersions":"\u003C=8.4.0","source":"GitHub","reportedAt":"2026-06-23 23:06:59","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-x667-r589-43m7"}]},{"advisoryId":"PKSA-35bw-hh2v-5kbx","packageName":"snipe\/snipe-it","remoteId":"GHSA-mr8g-2mj4-pcq2","title":"Snipe-IT\u0027s TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST \/two-factor`","link":"https:\/\/github.com\/advisories\/GHSA-mr8g-2mj4-pcq2","cve":"CVE-2026-49870","affectedVersions":"\u003C8.6.0","source":"GitHub","reportedAt":"2026-06-23 22:32:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mr8g-2mj4-pcq2"}]},{"advisoryId":"PKSA-czh5-xdx3-8gjh","packageName":"snipe\/snipe-it","remoteId":"GHSA-6f75-x745-xcpr","title":"Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users","link":"https:\/\/github.com\/advisories\/GHSA-6f75-x745-xcpr","cve":"CVE-2026-48507","affectedVersions":"\u003C8.6.0","source":"GitHub","reportedAt":"2026-06-23 22:24:59","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6f75-x745-xcpr"}]},{"advisoryId":"PKSA-bd8t-dph3-gby8","packageName":"snipe\/snipe-it","remoteId":"GHSA-f3c5-6cw8-fg57","title":"Snipe-IT\u0027s selectlist visibility is too permissive","link":"https:\/\/github.com\/advisories\/GHSA-f3c5-6cw8-fg57","cve":"CVE-2026-48492","affectedVersions":"\u003C8.5.1","source":"GitHub","reportedAt":"2026-06-23 22:11:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f3c5-6cw8-fg57"}]},{"advisoryId":"PKSA-7srb-sjc8-3k98","packageName":"snipe\/snipe-it","remoteId":"GHSA-52fw-7fw2-fmv5","title":"Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment","link":"https:\/\/github.com\/advisories\/GHSA-52fw-7fw2-fmv5","cve":"CVE-2026-48493","affectedVersions":"\u003C8.6.0","source":"GitHub","reportedAt":"2026-06-23 22:12:11","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-52fw-7fw2-fmv5"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-wn7x-tbkv-cqqp","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-8c6h-7g6x-m5x4","title":"phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)","link":"https:\/\/github.com\/advisories\/GHSA-8c6h-7g6x-m5x4","cve":"CVE-2026-49205","affectedVersions":"\u003C4.1.4","source":"GitHub","reportedAt":"2026-06-23 22:27:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8c6h-7g6x-m5x4"}]},{"advisoryId":"PKSA-p1ky-vdyf-6r6j","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-58fg-62fg-3fcj","title":"phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing","link":"https:\/\/github.com\/advisories\/GHSA-58fg-62fg-3fcj","cve":"CVE-2026-48488","affectedVersions":"\u003C=4.1.3","source":"GitHub","reportedAt":"2026-06-23 22:02:25","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-58fg-62fg-3fcj"}]},{"advisoryId":"PKSA-q6mm-vp1w-mgjs","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9pq7-mfwh-xx2j","title":"phpMyFAQ enables unauthenticated 2FA brute-force attack via \/admin\/check acceptance of arbitrary user-id","link":"https:\/\/github.com\/advisories\/GHSA-9pq7-mfwh-xx2j","cve":"CVE-2026-45010","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:42:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9pq7-mfwh-xx2j"}]},{"advisoryId":"PKSA-n87n-9t5q-zcf5","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-pm8c-3qq3-72w7","title":"phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields","link":"https:\/\/github.com\/advisories\/GHSA-pm8c-3qq3-72w7","cve":"CVE-2026-46359","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:44:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm8c-3qq3-72w7"}]},{"advisoryId":"PKSA-k9ft-9rnh-h8dn","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-99qv-g4x9-mgc3","title":"phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query","link":"https:\/\/github.com\/advisories\/GHSA-99qv-g4x9-mgc3","cve":"CVE-2026-46366","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:45:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-99qv-g4x9-mgc3"}]},{"advisoryId":"PKSA-djzh-dx9x-j5hd","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gh9p-q46p-57g2","title":"phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins","link":"https:\/\/github.com\/advisories\/GHSA-gh9p-q46p-57g2","cve":"CVE-2026-45008","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:47:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gh9p-q46p-57g2"}]},{"advisoryId":"PKSA-trv8-7xnx-t8d9","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-289f-fq7w-6q2w","title":"phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha","link":"https:\/\/github.com\/advisories\/GHSA-289f-fq7w-6q2w","cve":"CVE-2026-46364","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:49:15","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-289f-fq7w-6q2w"}]},{"advisoryId":"PKSA-198b-7kr6-ksdh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-pqh6-8fxf-jx22","title":"phpMyFAQ has stored XSS via | raw Filter in search.twig \u2014 html_entity_decode(strip_tags()) Bypass in Search Result Rendering","link":"https:\/\/github.com\/advisories\/GHSA-pqh6-8fxf-jx22","cve":"CVE-2026-46361","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:31:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pqh6-8fxf-jx22"}]},{"advisoryId":"PKSA-42b7-bh2b-d7nn","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-jrc5-w569-h7h5","title":"phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ","link":"https:\/\/github.com\/advisories\/GHSA-jrc5-w569-h7h5","cve":"CVE-2026-45009","affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:37:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jrc5-w569-h7h5"}]},{"advisoryId":"PKSA-pmsp-dtdj-k1f9","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-rm98-82fr-mcfx","title":"phpMyFAQ\u0027s Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User","link":"https:\/\/github.com\/advisories\/GHSA-rm98-82fr-mcfx","cve":"CVE-2026-45007","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:24:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rm98-82fr-mcfx"}]},{"advisoryId":"PKSA-1zxw-krpv-74xh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9525-27vj-c8r8","title":"phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering","link":"https:\/\/github.com\/advisories\/GHSA-9525-27vj-c8r8","cve":"CVE-2026-46367","affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:10:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9525-27vj-c8r8"}]},{"advisoryId":"PKSA-b77f-s5cd-b1qh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-hpgw-ww76-c68r","title":"phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check","link":"https:\/\/github.com\/advisories\/GHSA-hpgw-ww76-c68r","cve":"CVE-2026-46362","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:11:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hpgw-ww76-c68r"}]},{"advisoryId":"PKSA-jr2y-dd2x-qtks","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-f5p7-2c9q-8896","title":"phpMyFAQ has Stored XSS in FAQ Question\/Answer via Encode-Decode Bypass of removeAttributes() Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-f5p7-2c9q-8896","cve":"CVE-2026-46363","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5p7-2c9q-8896"}]},{"advisoryId":"PKSA-sw8q-jkxw-m11r","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-whqh-9pq5-c7r3","title":"phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-whqh-9pq5-c7r3","cve":"CVE-2026-46360","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-whqh-9pq5-c7r3"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-ncdr-61sw-52cy","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-8c6h-7g6x-m5x4","title":"phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)","link":"https:\/\/github.com\/advisories\/GHSA-8c6h-7g6x-m5x4","cve":"CVE-2026-49205","affectedVersions":"\u003C4.1.4","source":"GitHub","reportedAt":"2026-06-23 22:27:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8c6h-7g6x-m5x4"}]},{"advisoryId":"PKSA-rr72-yd9q-kc5n","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-58fg-62fg-3fcj","title":"phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing","link":"https:\/\/github.com\/advisories\/GHSA-58fg-62fg-3fcj","cve":"CVE-2026-48488","affectedVersions":"\u003C=4.1.3","source":"GitHub","reportedAt":"2026-06-23 22:02:25","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-58fg-62fg-3fcj"}]},{"advisoryId":"PKSA-6pt5-mfr3-5b72","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9pq7-mfwh-xx2j","title":"phpMyFAQ enables unauthenticated 2FA brute-force attack via \/admin\/check acceptance of arbitrary user-id","link":"https:\/\/github.com\/advisories\/GHSA-9pq7-mfwh-xx2j","cve":"CVE-2026-45010","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:42:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9pq7-mfwh-xx2j"}]},{"advisoryId":"PKSA-r4gq-dd3d-gxrj","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-pm8c-3qq3-72w7","title":"phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields","link":"https:\/\/github.com\/advisories\/GHSA-pm8c-3qq3-72w7","cve":"CVE-2026-46359","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:44:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm8c-3qq3-72w7"}]},{"advisoryId":"PKSA-76kk-7mdh-r8h5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-99qv-g4x9-mgc3","title":"phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query","link":"https:\/\/github.com\/advisories\/GHSA-99qv-g4x9-mgc3","cve":"CVE-2026-46366","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:45:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-99qv-g4x9-mgc3"}]},{"advisoryId":"PKSA-tvkw-wcnm-h63h","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-gh9p-q46p-57g2","title":"phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins","link":"https:\/\/github.com\/advisories\/GHSA-gh9p-q46p-57g2","cve":"CVE-2026-45008","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:47:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gh9p-q46p-57g2"}]},{"advisoryId":"PKSA-6nrc-qfr1-rds3","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-289f-fq7w-6q2w","title":"phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha","link":"https:\/\/github.com\/advisories\/GHSA-289f-fq7w-6q2w","cve":"CVE-2026-46364","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:49:15","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-289f-fq7w-6q2w"}]},{"advisoryId":"PKSA-7dk8-b5d5-n9bf","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-pqh6-8fxf-jx22","title":"phpMyFAQ has stored XSS via | raw Filter in search.twig \u2014 html_entity_decode(strip_tags()) Bypass in Search Result Rendering","link":"https:\/\/github.com\/advisories\/GHSA-pqh6-8fxf-jx22","cve":"CVE-2026-46361","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:31:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pqh6-8fxf-jx22"}]},{"advisoryId":"PKSA-v8r2-1321-xzpp","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-jrc5-w569-h7h5","title":"phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ","link":"https:\/\/github.com\/advisories\/GHSA-jrc5-w569-h7h5","cve":"CVE-2026-45009","affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:37:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jrc5-w569-h7h5"}]},{"advisoryId":"PKSA-n88j-cgtd-2fvg","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-rm98-82fr-mcfx","title":"phpMyFAQ\u0027s Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User","link":"https:\/\/github.com\/advisories\/GHSA-rm98-82fr-mcfx","cve":"CVE-2026-45007","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:24:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rm98-82fr-mcfx"}]},{"advisoryId":"PKSA-vm8f-6283-2vfw","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9525-27vj-c8r8","title":"phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering","link":"https:\/\/github.com\/advisories\/GHSA-9525-27vj-c8r8","cve":"CVE-2026-46367","affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:10:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9525-27vj-c8r8"}]},{"advisoryId":"PKSA-8syh-w2cp-tqks","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-hpgw-ww76-c68r","title":"phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check","link":"https:\/\/github.com\/advisories\/GHSA-hpgw-ww76-c68r","cve":"CVE-2026-46362","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:11:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hpgw-ww76-c68r"}]},{"advisoryId":"PKSA-6zc3-3brt-ftsh","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-f5p7-2c9q-8896","title":"phpMyFAQ has Stored XSS in FAQ Question\/Answer via Encode-Decode Bypass of removeAttributes() Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-f5p7-2c9q-8896","cve":"CVE-2026-46363","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5p7-2c9q-8896"}]},{"advisoryId":"PKSA-jn65-sph2-9wn9","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-whqh-9pq5-c7r3","title":"phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-whqh-9pq5-c7r3","cve":"CVE-2026-46360","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-whqh-9pq5-c7r3"}]}],"filament\/filament":[{"advisoryId":"PKSA-317j-243v-z7tc","packageName":"filament\/filament","remoteId":"GHSA-44wp-g8f4-f4v5","title":"Filament: Unauthenticated temporary file upload on auth pages","link":"https:\/\/github.com\/advisories\/GHSA-44wp-g8f4-f4v5","cve":"CVE-2026-48500","affectedVersions":"\u003E=3.0.0,\u003C=3.3.51|\u003E=5.0.0,\u003C=5.6.4|\u003E=4.0.0,\u003C=4.11.4","source":"GitHub","reportedAt":"2026-06-23 22:16:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-44wp-g8f4-f4v5"}]},{"advisoryId":"PKSA-3rh1-zh9g-4mq5","packageName":"filament\/filament","remoteId":"GHSA-5w46-g9pq-wh6f","title":"Filament: Timing-based user enumeration on login page","link":"https:\/\/github.com\/advisories\/GHSA-5w46-g9pq-wh6f","cve":"CVE-2026-48166","affectedVersions":"\u003E=5.0.0,\u003C=5.6.4|\u003E=4.0.0,\u003C=4.11.4","source":"GitHub","reportedAt":"2026-06-23 21:54:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5w46-g9pq-wh6f"}]}],"slim\/slim":[{"advisoryId":"PKSA-ftt4-t9sz-mwn5","packageName":"slim\/slim","remoteId":"GHSA-53h4-8rc4-f539","title":"Slim has Reflected XSS in the HtmlErrorRenderer","link":"https:\/\/github.com\/advisories\/GHSA-53h4-8rc4-f539","cve":"CVE-2026-48157","affectedVersions":"\u003E=4.4.0,\u003C=4.15.1","source":"GitHub","reportedAt":"2026-06-23 21:54:06","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-53h4-8rc4-f539"}]}],"filament\/infolists":[{"advisoryId":"PKSA-jm9c-w1fc-4m3p","packageName":"filament\/infolists","remoteId":"GHSA-3fc8-8hp6-6jr4","title":"Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS","link":"https:\/\/github.com\/advisories\/GHSA-3fc8-8hp6-6jr4","cve":"CVE-2026-48167","affectedVersions":"\u003E=5.0.0,\u003C=5.6.4|\u003E=4.0.0,\u003C=4.11.4","source":"GitHub","reportedAt":"2026-06-23 21:57:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3fc8-8hp6-6jr4"}]}],"filament\/tables":[{"advisoryId":"PKSA-qx8b-yc1b-44yc","packageName":"filament\/tables","remoteId":"GHSA-3fc8-8hp6-6jr4","title":"Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS","link":"https:\/\/github.com\/advisories\/GHSA-3fc8-8hp6-6jr4","cve":"CVE-2026-48167","affectedVersions":"\u003E=5.0.0,\u003C=5.6.4|\u003E=4.0.0,\u003C=4.11.4","source":"GitHub","reportedAt":"2026-06-23 21:57:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3fc8-8hp6-6jr4"}]},{"advisoryId":"PKSA-w941-zhwq-2wbm","packageName":"filament\/tables","remoteId":"GHSA-7q3w-xqjw-g3cr","title":"Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields","link":"https:\/\/github.com\/advisories\/GHSA-7q3w-xqjw-g3cr","cve":"CVE-2026-48067","affectedVersions":"\u003E=3.0.0,\u003C=3.3.50","source":"GitHub","reportedAt":"2026-06-11 20:26:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7q3w-xqjw-g3cr"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-m974-q1kf-q6bz","packageName":"wwbn\/avideo","remoteId":"GHSA-7cqp-7cfv-6c3q","title":"AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel","link":"https:\/\/github.com\/advisories\/GHSA-7cqp-7cfv-6c3q","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-23 19:11:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7cqp-7cfv-6c3q"}]},{"advisoryId":"PKSA-kyny-4znw-msn6","packageName":"wwbn\/avideo","remoteId":"GHSA-wc3f-xc32-435f","title":"AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single \u0027\u0026\u0027 (background operator), giving OS command execution at the same execAsync sh -c sink","link":"https:\/\/github.com\/advisories\/GHSA-wc3f-xc32-435f","cve":"CVE-2026-55173","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-23 17:42:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wc3f-xc32-435f"}]},{"advisoryId":"PKSA-6ggv-tpsf-fgk3","packageName":"wwbn\/avideo","remoteId":"GHSA-wf69-r4mx-43rr","title":"AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration","link":"https:\/\/github.com\/advisories\/GHSA-wf69-r4mx-43rr","cve":"CVE-2026-33692","affectedVersions":"\u003C29.0","source":"GitHub","reportedAt":"2026-06-22 19:54:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wf69-r4mx-43rr"}]},{"advisoryId":"PKSA-pwzs-6qqr-1tpq","packageName":"wwbn\/avideo","remoteId":"GHSA-95jh-7r58-xmxw","title":"AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data","link":"https:\/\/github.com\/advisories\/GHSA-95jh-7r58-xmxw","cve":"CVE-2026-33731","affectedVersions":"\u003C=28.0","source":"GitHub","reportedAt":"2026-06-22 19:58:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-95jh-7r58-xmxw"}]},{"advisoryId":"PKSA-k458-rr3w-813f","packageName":"wwbn\/avideo","remoteId":"GHSA-8j8m-p79x-g4jm","title":"AVideo\u0027s Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload\/Stream\/Meet Permissions","link":"https:\/\/github.com\/advisories\/GHSA-8j8m-p79x-g4jm","cve":"CVE-2026-33684","affectedVersions":"\u003C29.0","source":"GitHub","reportedAt":"2026-06-22 17:25:03","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8j8m-p79x-g4jm"}]},{"advisoryId":"PKSA-k9kk-fbnx-923m","packageName":"wwbn\/avideo","remoteId":"GHSA-2fhx-q92v-5fhv","title":"WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)","link":"https:\/\/github.com\/advisories\/GHSA-2fhx-q92v-5fhv","cve":"CVE-2026-49279","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:55:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2fhx-q92v-5fhv"}]},{"advisoryId":"PKSA-s76b-xf2h-zmsc","packageName":"wwbn\/avideo","remoteId":"GHSA-hgjh-6wj8-gcgf","title":"WWBN AVideo: Unauthenticated Reflected XSS via $_GET[\u0027search\u0027] in AVideo YouTubeAPI Gallery Pagination","link":"https:\/\/github.com\/advisories\/GHSA-hgjh-6wj8-gcgf","cve":"CVE-2026-50182","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:55:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hgjh-6wj8-gcgf"}]},{"advisoryId":"PKSA-qfq6-tncf-8grt","packageName":"wwbn\/avideo","remoteId":"GHSA-66q5-cj5g-wrfx","title":"WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section","link":"https:\/\/github.com\/advisories\/GHSA-66q5-cj5g-wrfx","cve":"CVE-2026-50183","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:56:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-66q5-cj5g-wrfx"}]},{"advisoryId":"PKSA-rftd-5wbt-6qx1","packageName":"wwbn\/avideo","remoteId":"GHSA-8whc-2wmv-ww35","title":"WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin","link":"https:\/\/github.com\/advisories\/GHSA-8whc-2wmv-ww35","cve":"CVE-2026-54458","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:57:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-8whc-2wmv-ww35"}]},{"advisoryId":"PKSA-4cz6-6cfv-8gy3","packageName":"wwbn\/avideo","remoteId":"GHSA-c8h8-vq34-9fw2","title":"WWBN AVideo: Stored XSS via unescaped Gallery category description","link":"https:\/\/github.com\/advisories\/GHSA-c8h8-vq34-9fw2","cve":"CVE-2026-47694","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:46:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c8h8-vq34-9fw2"}]},{"advisoryId":"PKSA-59k2-q697-bf8x","packageName":"wwbn\/avideo","remoteId":"GHSA-9392-pj54-qqf8","title":"WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint","link":"https:\/\/github.com\/advisories\/GHSA-9392-pj54-qqf8","cve":"CVE-2026-47696","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:47:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9392-pj54-qqf8"}]}],"paymenter\/paymenter":[{"advisoryId":"PKSA-c1p6-fvgz-yw29","packageName":"paymenter\/paymenter","remoteId":"GHSA-x93q-x9pc-w5hw","title":"Paymenter has broken object level authorization via service reference manipulation on ticket creation","link":"https:\/\/github.com\/advisories\/GHSA-x93q-x9pc-w5hw","cve":"CVE-2026-44585","affectedVersions":"\u003C1.5.0","source":"GitHub","reportedAt":"2026-06-22 20:30:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x93q-x9pc-w5hw"}]},{"advisoryId":"PKSA-scs3-cd2n-yh78","packageName":"paymenter\/paymenter","remoteId":"GHSA-7wwh-xcc3-9fcg","title":"Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module","link":"https:\/\/github.com\/advisories\/GHSA-7wwh-xcc3-9fcg","cve":"CVE-2026-44583","affectedVersions":"\u003C1.5.0","source":"GitHub","reportedAt":"2026-06-22 20:28:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7wwh-xcc3-9fcg"}]},{"advisoryId":"PKSA-db93-h5mg-r9z4","packageName":"paymenter\/paymenter","remoteId":"GHSA-rv89-wch8-c574","title":"Paymenter doesn\u0027t reset email verification status after email change","link":"https:\/\/github.com\/advisories\/GHSA-rv89-wch8-c574","cve":"CVE-2026-44584","affectedVersions":"\u003C1.5.0","source":"GitHub","reportedAt":"2026-06-22 20:29:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rv89-wch8-c574"}]},{"advisoryId":"PKSA-7yx9-82k3-n51f","packageName":"paymenter\/paymenter","remoteId":"GHSA-5pm9-r2m8-rcmj","title":"Paymenter vulnerable to Remote Code Execution via public file uploads","link":"https:\/\/github.com\/advisories\/GHSA-5pm9-r2m8-rcmj","cve":"CVE-2025-58048","affectedVersions":"\u003C1.2.11","source":"GitHub","reportedAt":"2026-06-22 16:53:59","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-5pm9-r2m8-rcmj"}]}],"starcitizenwiki\/embedvideo":[{"advisoryId":"PKSA-wg3k-7dyt-r1n5","packageName":"starcitizenwiki\/embedvideo","remoteId":"GHSA-5c7p-g73q-rpg5","title":"StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled","link":"https:\/\/github.com\/advisories\/GHSA-5c7p-g73q-rpg5","cve":"CVE-2026-55692","affectedVersions":"\u003C=4.0.0","source":"GitHub","reportedAt":"2026-06-19 21:41:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5c7p-g73q-rpg5"}]},{"advisoryId":"PKSA-bvqp-6135-khxc","packageName":"starcitizenwiki\/embedvideo","remoteId":"GHSA-c29q-5xm7-5p62","title":"StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text","link":"https:\/\/github.com\/advisories\/GHSA-c29q-5xm7-5p62","cve":"CVE-2026-55690","affectedVersions":"\u003C=4.0.0","source":"GitHub","reportedAt":"2026-06-19 21:14:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c29q-5xm7-5p62"}]},{"advisoryId":"PKSA-17vj-28c7-d53v","packageName":"starcitizenwiki\/embedvideo","remoteId":"GHSA-7h5p-637f-jfr7","title":"StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template","link":"https:\/\/github.com\/advisories\/GHSA-7h5p-637f-jfr7","cve":"CVE-2026-55691","affectedVersions":"\u003C=4.0.0","source":"GitHub","reportedAt":"2026-06-19 21:15:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7h5p-637f-jfr7"}]}],"craftcms\/cms":[{"advisoryId":"PKSA-5xds-5mf3-ckxn","packageName":"craftcms\/cms","remoteId":"GHSA-c55v-343g-5xff","title":"Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs","link":"https:\/\/github.com\/advisories\/GHSA-c55v-343g-5xff","cve":"CVE-2026-55791","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.18|\u003E=5.0.0-RC1,\u003C5.10","source":"GitHub","reportedAt":"2026-06-19 21:15:19","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-c55v-343g-5xff"}]}],"craftcms\/commerce":[{"advisoryId":"PKSA-3cyb-p9z9-9j9r","packageName":"craftcms\/commerce","remoteId":"GHSA-78vr-q6cf-c7p6","title":"Craft Commerce: Partial Payment Amount Without Lower Bound Validation","link":"https:\/\/github.com\/advisories\/GHSA-78vr-q6cf-c7p6","cve":null,"affectedVersions":"\u003E=4.0.0,\u003C=4.11.1|\u003E=5.0.0,\u003C=5.6.4","source":"GitHub","reportedAt":"2026-06-19 21:15:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-78vr-q6cf-c7p6"}]},{"advisoryId":"PKSA-8pd1-kqxv-12wq","packageName":"craftcms\/commerce","remoteId":"GHSA-h5gm-x9wr-vhcm","title":"Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass","link":"https:\/\/github.com\/advisories\/GHSA-h5gm-x9wr-vhcm","cve":"CVE-2026-55795","affectedVersions":"\u003E=4.0.0,\u003C=4.11.1|\u003E=5.0.0,\u003C=5.6.4","source":"GitHub","reportedAt":"2026-06-19 21:15:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5gm-x9wr-vhcm"}]}],"cotonti\/cotonti":[{"advisoryId":"PKSA-cy3k-vcz8-1k97","packageName":"cotonti\/cotonti","remoteId":"GHSA-hp3v-wp32-953h","title":"Cotonti:  Cross-Site Request Forgery in the Personal File Storage (PFS) module","link":"https:\/\/github.com\/advisories\/GHSA-hp3v-wp32-953h","cve":"CVE-2026-55745","affectedVersions":"\u003C=1.0.0","source":"GitHub","reportedAt":"2026-06-18 12:40:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hp3v-wp32-953h"}]},{"advisoryId":"PKSA-sv92-d57h-xntt","packageName":"cotonti\/cotonti","remoteId":"GHSA-7g3p-35vc-mgjr","title":"Cotonti: Cross-Site Request Forgery in the administration rights handler","link":"https:\/\/github.com\/advisories\/GHSA-7g3p-35vc-mgjr","cve":"CVE-2026-55742","affectedVersions":"\u003C=1.0.0","source":"GitHub","reportedAt":"2026-06-18 12:40:25","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-7g3p-35vc-mgjr"}]},{"advisoryId":"PKSA-4kh8-r3m8-hxqy","packageName":"cotonti\/cotonti","remoteId":"GHSA-86hp-hf3j-3m8r","title":"Cotonti: Stored Cross-Site Scripting in the Personal File Storage (PFS) module","link":"https:\/\/github.com\/advisories\/GHSA-86hp-hf3j-3m8r","cve":"CVE-2026-55746","affectedVersions":"\u003C=1.0.0","source":"GitHub","reportedAt":"2026-06-18 12:40:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-86hp-hf3j-3m8r"}]},{"advisoryId":"PKSA-5cx6-4jyf-9qk9","packageName":"cotonti\/cotonti","remoteId":"GHSA-wx35-cv59-9gwr","title":"Cotonti: Cross-Site Request Forgery in the Personal File Storage (PFS) module","link":"https:\/\/github.com\/advisories\/GHSA-wx35-cv59-9gwr","cve":"CVE-2026-55744","affectedVersions":"\u003C=1.0.0","source":"GitHub","reportedAt":"2026-06-18 12:40:25","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wx35-cv59-9gwr"}]}],"pimcore\/pimcore":[{"advisoryId":"PKSA-6dhb-gq75-qpgr","packageName":"pimcore\/pimcore","remoteId":"GHSA-7p36-fq2r-4h7r","title":"Pimcore CMS Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed","link":"https:\/\/github.com\/advisories\/GHSA-7p36-fq2r-4h7r","cve":"CVE-2026-11407","affectedVersions":"\u003C=12.3.8","source":"GitHub","reportedAt":"2026-06-17 21:34:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7p36-fq2r-4h7r"}]}],"guzzlehttp\/psr7":[{"advisoryId":"PKSA-7qs6-zvnz-h66r","packageName":"guzzlehttp\/psr7","remoteId":"guzzlehttp\/psr7\/CVE-2026-55766.yaml","title":"CRLF injection in HTTP start-line serialization","link":"https:\/\/github.com\/guzzle\/psr7\/security\/advisories\/GHSA-vm85-hxw5-5432","cve":"CVE-2026-55766","affectedVersions":"\u003C2.12.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-18 09:49:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vm85-hxw5-5432"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/psr7\/CVE-2026-55766.yaml"}]},{"advisoryId":"PKSA-gm5x-j3mz-71n9","packageName":"guzzlehttp\/psr7","remoteId":"guzzlehttp\/psr7\/CVE-2026-49214.yaml","title":"CRLF injection via URI host component","link":"https:\/\/github.com\/guzzle\/psr7\/security\/advisories\/GHSA-hq7v-mx3g-29hw","cve":"CVE-2026-49214","affectedVersions":"\u003C2.10.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-25 22:58:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hq7v-mx3g-29hw"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/psr7\/CVE-2026-49214.yaml"}]},{"advisoryId":"PKSA-jj5t-2zs1-dcfm","packageName":"guzzlehttp\/psr7","remoteId":"guzzlehttp\/psr7\/CVE-2026-48998.yaml","title":"Host confusion via authority reinterpretation","link":"https:\/\/github.com\/guzzle\/psr7\/security\/advisories\/GHSA-34xg-wgjx-8xph","cve":"CVE-2026-48998","affectedVersions":"\u003C2.10.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-25 22:58:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-34xg-wgjx-8xph"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/psr7\/CVE-2026-48998.yaml"}]},{"advisoryId":"PKSA-hn62-zkx4-1y5q","packageName":"guzzlehttp\/psr7","remoteId":"guzzlehttp\/psr7\/CVE-2023-29197.yaml","title":"Improper header validation","link":"https:\/\/github.com\/guzzle\/psr7\/security\/advisories\/GHSA-wxmh-65f7-jcvw","cve":"CVE-2023-29197","affectedVersions":"\u003E=2,\u003C2.4.5|\u003C1.9.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2023-04-17 16:00:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wxmh-65f7-jcvw"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/psr7\/CVE-2023-29197.yaml"}]},{"advisoryId":"PKSA-gvzg-s447-b5b5","packageName":"guzzlehttp\/psr7","remoteId":"guzzlehttp\/psr7\/CVE-2022-24775.yaml","title":"Inproper parsing of HTTP headers","link":"https:\/\/github.com\/guzzle\/psr7\/security\/advisories\/GHSA-q7rv-6hp3-vh96","cve":"CVE-2022-24775","affectedVersions":"\u003E=2,\u003C2.1.1|\u003C1.8.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-03-20 13:44:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q7rv-6hp3-vh96"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/psr7\/CVE-2022-24775.yaml"}]}],"guzzlehttp\/guzzle":[{"advisoryId":"PKSA-93qv-9n9h-6k6p","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2026-55767.yaml","title":"Dot-only cookie domains match all hosts","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-cwxw-98qj-8qjx","cve":"CVE-2026-55767","affectedVersions":"\u003C7.12.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-18 14:12:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cwxw-98qj-8qjx"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2026-55767.yaml"}]},{"advisoryId":"PKSA-k22t-f949-t9g6","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2026-55568.yaml","title":"Silent HTTPS proxy downgrade to cleartext","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-wpwq-4j6v-78m3","cve":"CVE-2026-55568","affectedVersions":"\u003C7.12.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-18 14:12:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wpwq-4j6v-78m3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2026-55568.yaml"}]},{"advisoryId":"PKSA-yfw5-9gnj-n2c7","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31091.yaml","title":"Change in port should be considered a change in origin","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-q559-8m2m-g699","cve":"CVE-2022-31091","affectedVersions":"\u003E=7,\u003C7.4.5|\u003E=4,\u003C6.5.8","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-06-20 22:16:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q559-8m2m-g699"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31091.yaml"}]},{"advisoryId":"PKSA-k1b4-kshy-xgbh","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31090.yaml","title":"CURLOPT_HTTPAUTH option not cleared on change of origin","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-25mq-v84q-4j7r","cve":"CVE-2022-31090","affectedVersions":"\u003E=7,\u003C7.4.5|\u003E=4,\u003C6.5.8","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-06-20 22:16:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-25mq-v84q-4j7r"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31090.yaml"}]},{"advisoryId":"PKSA-2z36-j4q9-rsfy","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31043.yaml","title":"Fix failure to strip Authorization header on HTTP downgrade","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-w248-ffj2-4v5q","cve":"CVE-2022-31043","affectedVersions":"\u003E=7,\u003C7.4.4|\u003E=4,\u003C6.5.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-06-09 21:36:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w248-ffj2-4v5q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31043.yaml"}]},{"advisoryId":"PKSA-fvw5-9t6n-nwvr","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31042.yaml","title":"Failure to strip the Cookie header on change in host or HTTP downgrade","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-f2wf-25xc-69c9","cve":"CVE-2022-31042","affectedVersions":"\u003E=7,\u003C7.4.4|\u003E=4,\u003C6.5.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-06-09 21:36:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f2wf-25xc-69c9"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31042.yaml"}]},{"advisoryId":"PKSA-6d8m-6kgw-18zr","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2022-29248.yaml","title":"Cross-domain cookie leakage","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-cwmx-hcrq-mhc3","cve":"CVE-2022-29248","affectedVersions":"\u003E=7,\u003C7.4.3|\u003E=4,\u003C6.5.6","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-05-25 13:19:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cwmx-hcrq-mhc3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2022-29248.yaml"}]},{"advisoryId":"PKSA-stmn-hvzq-wph6","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2016-5385.yaml","title":"HTTP Proxy header vulnerability","link":"https:\/\/github.com\/guzzle\/guzzle\/releases\/tag\/6.2.1","cve":"CVE-2016-5385","affectedVersions":"\u003E=6,\u003C6.2.1|\u003E=4.0.0-rc2,\u003C4.2.4|\u003E=5,\u003C5.3.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-07-15 17:44:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m6ch-gg5f-wxx3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2016-5385.yaml"}]}],"jleehr\/canto-saas-api":[{"advisoryId":"PKSA-j2jj-8zzq-m6yn","packageName":"jleehr\/canto-saas-api","remoteId":"GHSA-9qfv-wgh2-m6p8","title":"canto-saas-api: Authenticated API requests can be redirected via unencoded path variables","link":"https:\/\/github.com\/advisories\/GHSA-9qfv-wgh2-m6p8","cve":"CVE-2026-55374","affectedVersions":"\u003C=2.0.0","source":"GitHub","reportedAt":"2026-06-19 14:13:55","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9qfv-wgh2-m6p8"}]},{"advisoryId":"PKSA-cgpk-zpcz-kxmr","packageName":"jleehr\/canto-saas-api","remoteId":"GHSA-37pm-83g7-r22v","title":"canto-saas-api: OAuth credentials exposed in URL query string and exception messages","link":"https:\/\/github.com\/advisories\/GHSA-37pm-83g7-r22v","cve":"CVE-2026-55375","affectedVersions":"\u003C=2.0.0","source":"GitHub","reportedAt":"2026-06-19 14:16:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-37pm-83g7-r22v"}]}],"symfony\/ux-icons":[{"advisoryId":"PKSA-2rqz-j593-s85p","packageName":"symfony\/ux-icons","remoteId":"symfony\/ux-icons\/CVE-2026-55877.yaml","title":"symfony\/ux-icons XSS via unsanitized SVG content in local files and Iconify on-demand responses","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-6v8j-33hc-mv84","cve":"CVE-2026-55877","affectedVersions":"\u003E=2.17.0,\u003C2.36.1|\u003E=3.0.0,\u003C3.2.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-19 07:21:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6v8j-33hc-mv84"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-icons\/CVE-2026-55877.yaml"}]}],"symfony\/ux-toolkit":[{"advisoryId":"PKSA-hmn2-9g3k-g9mr","packageName":"symfony\/ux-toolkit","remoteId":"symfony\/ux-toolkit\/CVE-2026-55878.yaml","title":"symfony\/ux-toolkit Path Traversal allows arbitrary file write and read via crafted recipe manifest","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-p9xj-fpr2-jf2q","cve":"CVE-2026-55878","affectedVersions":"\u003E=2.32.0,\u003C2.36.1|\u003E=3.0.0,\u003C3.2.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-19 07:21:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p9xj-fpr2-jf2q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-toolkit\/CVE-2026-55878.yaml"}]}],"web-token\/jwt-experimental":[{"advisoryId":"PKSA-z37k-njn7-w125","packageName":"web-token\/jwt-experimental","remoteId":"GHSA-6vvh-pxr4-25r7","title":"PHP JWT Framework: Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption","link":"https:\/\/github.com\/advisories\/GHSA-6vvh-pxr4-25r7","cve":null,"affectedVersions":"\u003C=4.1.6","source":"GitHub","reportedAt":"2026-06-18 21:08:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6vvh-pxr4-25r7"}]}],"phpbb\/phpbb":[{"advisoryId":"PKSA-k9cm-sh3f-xrxt","packageName":"phpbb\/phpbb","remoteId":"GHSA-7gm6-w7mx-58cr","title":"phpBB has Password Reset Link Poisoning via Host Header injection","link":"https:\/\/github.com\/advisories\/GHSA-7gm6-w7mx-58cr","cve":"CVE-2026-29199","affectedVersions":"=4.0.0-a1|\u003E=3.0.0,\u003C3.3.16","source":"GitHub","reportedAt":"2026-05-04 09:31:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7gm6-w7mx-58cr"}]}],"drupal\/core":[{"advisoryId":"PKSA-h76q-q9b2-4kdc","packageName":"drupal\/core","remoteId":"GHSA-ghwc-95x2-682j","title":"Drupal Core has a SQL Injection issue","link":"https:\/\/github.com\/advisories\/GHSA-ghwc-95x2-682j","cve":"CVE-2026-9082","affectedVersions":"\u003E=11.3.0,\u003C11.3.10|\u003E=11.2.0,\u003C11.2.12|\u003E=11.0.0,\u003C11.1.10|\u003E=10.6.0,\u003C10.6.9|\u003E=10.5.0,\u003C10.5.10|\u003E=8.9.0,\u003C10.4.10","source":"GitHub","reportedAt":"2026-05-20 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-ghwc-95x2-682j"}]},{"advisoryId":"PKSA-787q-p7fn-mcw7","packageName":"drupal\/core","remoteId":"GHSA-pw6f-3999-xp7g","title":"Drupal core allows Cross-Site Scripting (XSS)","link":"https:\/\/github.com\/advisories\/GHSA-pw6f-3999-xp7g","cve":"CVE-2026-6367","affectedVersions":"\u003E=11.3.0,\u003C11.3.7","source":"GitHub","reportedAt":"2026-05-20 00:31:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pw6f-3999-xp7g"}]},{"advisoryId":"PKSA-7kyj-yy4m-jzhv","packageName":"drupal\/core","remoteId":"GHSA-f3cj-mjqm-fhvj","title":"Drupal core is Vulnerable to Cross-Site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-f3cj-mjqm-fhvj","cve":"CVE-2026-6365","affectedVersions":"\u003E=11.3.0,\u003C11.3.7|\u003E=11.0.0,\u003C11.2.11|\u003E=10.6.0,\u003C10.6.7|\u003E=8.0.0,\u003C10.5.9","source":"GitHub","reportedAt":"2026-05-20 00:31:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f3cj-mjqm-fhvj"}]},{"advisoryId":"PKSA-j351-xv4b-pryh","packageName":"drupal\/core","remoteId":"GHSA-xmjc-63pr-2mpg","title":"Drupal core allows Object Injection","link":"https:\/\/github.com\/advisories\/GHSA-xmjc-63pr-2mpg","cve":"CVE-2026-6366","affectedVersions":"\u003E=11.3.0,\u003C11.3.7|\u003E=11.0.0,\u003C11.2.11|\u003E=10.6.0,\u003C10.6.7|\u003E=8.0.0,\u003C10.5.9","source":"GitHub","reportedAt":"2026-05-20 00:31:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xmjc-63pr-2mpg"}]}],"getkirby\/cms":[{"advisoryId":"PKSA-4ys7-5twb-r3bn","packageName":"getkirby\/cms","remoteId":"GHSA-23q2-54qv-rq5x","title":"Kirby: `pages.access` permission is not checked in the pages picker for parent pages","link":"https:\/\/github.com\/advisories\/GHSA-23q2-54qv-rq5x","cve":"CVE-2026-49274","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:04:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-23q2-54qv-rq5x"}]},{"advisoryId":"PKSA-hnr2-vddk-p4gy","packageName":"getkirby\/cms","remoteId":"GHSA-rhj6-r49h-5932","title":"Kirby: Self cross-site scripting (self-XSS) in the writer field","link":"https:\/\/github.com\/advisories\/GHSA-rhj6-r49h-5932","cve":"CVE-2026-49276","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:04:41","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rhj6-r49h-5932"}]},{"advisoryId":"PKSA-k11s-611y-v46q","packageName":"getkirby\/cms","remoteId":"GHSA-4v4h-m2qq-ppgw","title":"Kirby: Request header injection in `Http\\Remote`","link":"https:\/\/github.com\/advisories\/GHSA-4v4h-m2qq-ppgw","cve":"CVE-2026-50188","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:04:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4v4h-m2qq-ppgw"}]},{"advisoryId":"PKSA-wps5-gfv8-mm6f","packageName":"getkirby\/cms","remoteId":"GHSA-wr9h-4r83-f4v6","title":"Kirby: Cross-site scripting (XSS) from incomplete HTML\/XML sanitization in `Dom::sanitize()`","link":"https:\/\/github.com\/advisories\/GHSA-wr9h-4r83-f4v6","cve":"CVE-2026-54002","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:04:52","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wr9h-4r83-f4v6"}]},{"advisoryId":"PKSA-h8zr-vfb5-1d5r","packageName":"getkirby\/cms","remoteId":"GHSA-whxw-24jc-cwmv","title":"Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header","link":"https:\/\/github.com\/advisories\/GHSA-whxw-24jc-cwmv","cve":"CVE-2026-54003","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:04:57","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-whxw-24jc-cwmv"}]},{"advisoryId":"PKSA-6sq2-11dh-hkdq","packageName":"getkirby\/cms","remoteId":"GHSA-89cp-7p28-jffg","title":"Kirby: Access to files of top-level drafts is not protected by permissions","link":"https:\/\/github.com\/advisories\/GHSA-89cp-7p28-jffg","cve":"CVE-2026-54004","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:05:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-89cp-7p28-jffg"}]},{"advisoryId":"PKSA-jpkc-34xj-4vfy","packageName":"getkirby\/cms","remoteId":"GHSA-r3w8-2c5r-h9j9","title":"Kirby: `pages.access` permission is not checked in the `site\/find` REST API route","link":"https:\/\/github.com\/advisories\/GHSA-r3w8-2c5r-h9j9","cve":"CVE-2026-54005","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:05:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r3w8-2c5r-h9j9"}]}],"getgrav\/grav":[{"advisoryId":"PKSA-p98m-jfx1-qxw4","packageName":"getgrav\/grav","remoteId":"GHSA-pmf8-g7c8-7v54","title":"Grav: Stored CSS injection via Markdown image ?style=\u2026 reaches MediaObjectTrait::style() \u2014 incomplete patch of GHSA-r7fx-8g49-7hhr","link":"https:\/\/github.com\/advisories\/GHSA-pmf8-g7c8-7v54","cve":"CVE-2026-55890","affectedVersions":"\u003C=2.0.0-rc.8","source":"GitHub","reportedAt":"2026-06-18 14:49:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pmf8-g7c8-7v54"}]},{"advisoryId":"PKSA-wg3b-cs1z-bny5","packageName":"getgrav\/grav","remoteId":"GHSA-2f86-9cp8-6hcf","title":"Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets","link":"https:\/\/github.com\/advisories\/GHSA-2f86-9cp8-6hcf","cve":"CVE-2026-55885","affectedVersions":"\u003C1.7.53","source":"GitHub","reportedAt":"2026-06-18 14:31:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2f86-9cp8-6hcf"}]}],"spomky-labs\/otphp":[{"advisoryId":"PKSA-qv5y-crcz-9nxw","packageName":"spomky-labs\/otphp","remoteId":"spomky-labs\/otphp\/GHSA-2jx3-65f3-xr8r.yaml","title":"Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError","link":"https:\/\/github.com\/Spomky-Labs\/otphp\/security\/advisories\/GHSA-2jx3-65f3-xr8r","cve":null,"affectedVersions":"\u003C11.4.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-31 09:08:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2jx3-65f3-xr8r"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"spomky-labs\/otphp\/GHSA-2jx3-65f3-xr8r.yaml"}]},{"advisoryId":"PKSA-kbc7-dq62-pt7d","packageName":"spomky-labs\/otphp","remoteId":"spomky-labs\/otphp\/GHSA-g7m4-839x-ch6v.yaml","title":"Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation","link":"https:\/\/github.com\/Spomky-Labs\/otphp\/security\/advisories\/GHSA-g7m4-839x-ch6v","cve":null,"affectedVersions":"\u003C11.4.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-31 09:06:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-g7m4-839x-ch6v"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"spomky-labs\/otphp\/GHSA-g7m4-839x-ch6v.yaml"}]}],"web-token\/jwt-framework":[{"advisoryId":"PKSA-815n-fyy9-rqkd","packageName":"web-token\/jwt-framework","remoteId":"web-token\/jwt-framework\/GHSA-3prj-6hqw-cm82.yaml","title":"PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-3prj-6hqw-cm82","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:26:43","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-framework\/GHSA-3prj-6hqw-cm82.yaml"}]},{"advisoryId":"PKSA-m2bn-5kyy-vzsk","packageName":"web-token\/jwt-framework","remoteId":"web-token\/jwt-framework\/GHSA-5739-39v2-5754.yaml","title":"RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher\/Marvin padding oracle","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-5739-39v2-5754","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:27:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3prj-6hqw-cm82"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-framework\/GHSA-5739-39v2-5754.yaml"}]},{"advisoryId":"PKSA-p7vh-1fk6-znth","packageName":"web-token\/jwt-framework","remoteId":"web-token\/jwt-framework\/GHSA-6vvh-pxr4-25r7.yaml","title":"Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-6vvh-pxr4-25r7","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:27:05","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jc38-x7x8-2xc8"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-framework\/GHSA-6vvh-pxr4-25r7.yaml"}]},{"advisoryId":"PKSA-ztxk-m2k2-bkgv","packageName":"web-token\/jwt-framework","remoteId":"web-token\/jwt-framework\/GHSA-jc38-x7x8-2xc8.yaml","title":"JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-jc38-x7x8-2xc8","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:30:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5739-39v2-5754"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-framework\/GHSA-jc38-x7x8-2xc8.yaml"}]}],"web-token\/jwt-library":[{"advisoryId":"PKSA-qw7k-npv6-3pbk","packageName":"web-token\/jwt-library","remoteId":"web-token\/jwt-library\/GHSA-3prj-6hqw-cm82.yaml","title":"PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-3prj-6hqw-cm82","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:26:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6vvh-pxr4-25r7"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-library\/GHSA-3prj-6hqw-cm82.yaml"}]},{"advisoryId":"PKSA-237v-kv6c-dpkr","packageName":"web-token\/jwt-library","remoteId":"web-token\/jwt-library\/GHSA-5739-39v2-5754.yaml","title":"RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher\/Marvin padding oracle","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-5739-39v2-5754","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:27:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3prj-6hqw-cm82"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-library\/GHSA-5739-39v2-5754.yaml"}]},{"advisoryId":"PKSA-66dc-42nb-26yy","packageName":"web-token\/jwt-library","remoteId":"web-token\/jwt-library\/GHSA-6vvh-pxr4-25r7.yaml","title":"Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-6vvh-pxr4-25r7","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:27:05","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jc38-x7x8-2xc8"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-library\/GHSA-6vvh-pxr4-25r7.yaml"}]},{"advisoryId":"PKSA-58h1-qnck-61bt","packageName":"web-token\/jwt-library","remoteId":"web-token\/jwt-library\/GHSA-jc38-x7x8-2xc8.yaml","title":"JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-jc38-x7x8-2xc8","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:30:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5739-39v2-5754"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-library\/GHSA-jc38-x7x8-2xc8.yaml"}]}],"mtdowling\/jmespath.php":[{"advisoryId":"PKSA-mnyp-475s-ywph","packageName":"mtdowling\/jmespath.php","remoteId":"mtdowling\/jmespath.php\/CVE-2026-54133.yaml","title":"CompilerRuntime code injection via unescaped function names","link":"https:\/\/github.com\/jmespath\/jmespath.php\/security\/advisories\/GHSA-pcw8-m77r-2528","cve":"CVE-2026-54133","affectedVersions":"\u003C2.9.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-11 10:41:50","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"mtdowling\/jmespath.php\/CVE-2026-54133.yaml"}]}],"cakephp\/authentication":[{"advisoryId":"PKSA-bz6x-t8z8-r26p","packageName":"cakephp\/authentication","remoteId":"GHSA-hhpq-7wg4-36jm","title":"CakePHP Authentication: Open redirect weakness via backslash bypass","link":"https:\/\/github.com\/advisories\/GHSA-hhpq-7wg4-36jm","cve":"CVE-2026-55590","affectedVersions":"\u003E=4.0.0,\u003C4.1.1|\u003C3.3.6","source":"GitHub","reportedAt":"2026-06-17 18:52:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hhpq-7wg4-36jm"}]}],"filament\/forms":[{"advisoryId":"PKSA-n7tx-gkfb-14yj","packageName":"filament\/forms","remoteId":"GHSA-m9cv-24rx-8mv7","title":"Filament: Disabled RichEditor field state can be used for XSS","link":"https:\/\/github.com\/advisories\/GHSA-m9cv-24rx-8mv7","cve":"CVE-2026-55409","affectedVersions":"\u003E=3.0.0,\u003C=3.3.52","source":"GitHub","reportedAt":"2026-06-17 18:41:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m9cv-24rx-8mv7"}]}],"laravel\/framework":[{"advisoryId":"PKSA-3r5d-mb8f-1qw9","packageName":"laravel\/framework","remoteId":"GHSA-5vg9-5847-vvmq","title":"Laravel Framework: CRLF injection in default email rule ","link":"https:\/\/github.com\/advisories\/GHSA-5vg9-5847-vvmq","cve":null,"affectedVersions":"\u003C12.60.0|\u003E=13.0.0,\u003C=13.9.0","source":"GitHub","reportedAt":"2026-06-17 13:53:44","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5vg9-5847-vvmq"}]},{"advisoryId":"PKSA-m5cs-t1y6-qpcs","packageName":"laravel\/framework","remoteId":"GHSA-crmm-hgp2-wgrp","title":"Laravel Framework: Temporary Signed URL Path Confusion","link":"https:\/\/github.com\/advisories\/GHSA-crmm-hgp2-wgrp","cve":null,"affectedVersions":"\u003C12.61.1|\u003E=13.0.0,\u003C13.12.0","source":"GitHub","reportedAt":"2026-06-17 13:54:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-crmm-hgp2-wgrp"}]},{"advisoryId":"PKSA-mdq4-51ck-6kdq","packageName":"laravel\/framework","remoteId":"laravel\/framework\/CVE-2026-48019.yaml","title":"Laravel CRLF injection in default email rule","link":"https:\/\/github.com\/laravel\/framework\/security\/advisories\/GHSA-5vg9-5847-vvmq","cve":"CVE-2026-48019","affectedVersions":"\u003E=9.0.0,\u003C10.0.0|\u003E=10.0.0,\u003C11.0.0|\u003E=11.0.0,\u003C12.0.0|\u003E=12.0.0,\u003C12.60.0|\u003E=13.0.0,\u003C13.10.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 18:13:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"laravel\/framework\/CVE-2026-48019.yaml"}]}],"phpseclib\/phpseclib":[{"advisoryId":"PKSA-432p-hv1d-chf7","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-m557-wrgg-6rp4","title":"phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access","link":"https:\/\/github.com\/advisories\/GHSA-m557-wrgg-6rp4","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C=3.0.53|\u003E=2.0.0,\u003C=2.0.54|\u003E=0.1.1,\u003C=1.0.29","source":"GitHub","reportedAt":"2026-06-16 15:03:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m557-wrgg-6rp4"}]}],"typo3\/cms-recycler":[{"advisoryId":"PKSA-9psw-d46q-t3cr","packageName":"typo3\/cms-recycler","remoteId":"GHSA-f34x-rx2w-7pm3","title":"TYPO3 CMS has Broken Access Control in the Recycler Module","link":"https:\/\/github.com\/advisories\/GHSA-f34x-rx2w-7pm3","cve":"CVE-2026-47349","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51|\u003C10.4.57","source":"GitHub","reportedAt":"2026-06-12 20:08:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f34x-rx2w-7pm3"}]}],"typo3\/cms-form":[{"advisoryId":"PKSA-8hzt-dvj5-mc5s","packageName":"typo3\/cms-form","remoteId":"GHSA-pjpj-v387-x4vq","title":"TYPO3 CMS has Broken Access Control in its Form Framework","link":"https:\/\/github.com\/advisories\/GHSA-pjpj-v387-x4vq","cve":"CVE-2026-11607","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51|\u003C10.4.57","source":"GitHub","reportedAt":"2026-06-12 20:08:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pjpj-v387-x4vq"}]},{"advisoryId":"PKSA-m239-hcqk-kg59","packageName":"typo3\/cms-form","remoteId":"GHSA-hwvq-2w67-rvxp","title":"TYPO3 CMS has Broken Access Control in its Form Framework","link":"https:\/\/github.com\/advisories\/GHSA-hwvq-2w67-rvxp","cve":"CVE-2026-47346","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51|\u003C10.4.57","source":"GitHub","reportedAt":"2026-06-12 19:32:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hwvq-2w67-rvxp"}]},{"advisoryId":"PKSA-w8hs-qvzm-sf5x","packageName":"typo3\/cms-form","remoteId":"GHSA-jh32-v29g-68pq","title":"TYPO3 CMS has Privilege Escalation \u0026 SQL Injection in its Form Framework","link":"https:\/\/github.com\/advisories\/GHSA-jh32-v29g-68pq","cve":"CVE-2026-49741","affectedVersions":"\u003E=14.0.0,\u003C14.3.3","source":"GitHub","reportedAt":"2026-06-12 19:32:22","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jh32-v29g-68pq"}]}],"typo3\/cms-indexed-search":[{"advisoryId":"PKSA-38f7-f61m-dktr","packageName":"typo3\/cms-indexed-search","remoteId":"GHSA-cg75-qfg2-w9hj","title":"TYPO3 CMS has Cross-Site Scripting in Indexed Search","link":"https:\/\/github.com\/advisories\/GHSA-cg75-qfg2-w9hj","cve":"CVE-2026-47348","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31","source":"GitHub","reportedAt":"2026-06-12 19:06:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cg75-qfg2-w9hj"}]}],"typo3\/cms-backend":[{"advisoryId":"PKSA-4mhm-w6hx-yhcy","packageName":"typo3\/cms-backend","remoteId":"GHSA-q93m-25xv-94hh","title":"TYPO3 CMS: Broken Access Control in Media Module","link":"https:\/\/github.com\/advisories\/GHSA-q93m-25xv-94hh","cve":"CVE-2026-47351","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51|\u003C10.4.57","source":"GitHub","reportedAt":"2026-06-12 19:06:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q93m-25xv-94hh"}]},{"advisoryId":"PKSA-gksc-phy8-f181","packageName":"typo3\/cms-backend","remoteId":"GHSA-2j54-93q2-3hjq","title":"TYPO3 CMS has Broken Access Control in Backend API","link":"https:\/\/github.com\/advisories\/GHSA-2j54-93q2-3hjq","cve":"CVE-2026-47352","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51|\u003C10.4.57","source":"GitHub","reportedAt":"2026-06-12 19:08:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2j54-93q2-3hjq"}]}],"typo3\/cms-filelist":[{"advisoryId":"PKSA-br9n-75sp-8dqy","packageName":"typo3\/cms-filelist","remoteId":"GHSA-chm7-4vch-h8vr","title":"TYPO3 CMS has Broken Access Control in its Media Module","link":"https:\/\/github.com\/advisories\/GHSA-chm7-4vch-h8vr","cve":"CVE-2026-49742","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51","source":"GitHub","reportedAt":"2026-06-12 19:09:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-chm7-4vch-h8vr"}]}],"grumpydictator\/firefly-iii":[{"advisoryId":"PKSA-197r-m2ry-57db","packageName":"grumpydictator\/firefly-iii","remoteId":"GHSA-6jq6-x4cx-qvcm","title":"Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)","link":"https:\/\/github.com\/advisories\/GHSA-6jq6-x4cx-qvcm","cve":null,"affectedVersions":"\u003C=6.6.2","source":"GitHub","reportedAt":"2026-06-12 15:04:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6jq6-x4cx-qvcm"}]}],"symfony\/runtime":[{"advisoryId":"PKSA-xf5h-y6vg-qj98","packageName":"symfony\/runtime","remoteId":"GHSA-fqc7-9xjw-jrh3","title":"SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV\/APP_DEBUG via parse_str\/SAPI Argv Mismatch","link":"https:\/\/github.com\/advisories\/GHSA-fqc7-9xjw-jrh3","cve":"CVE-2026-47767","affectedVersions":"\u003E=8.0.0,\u003C8.0.12|\u003E=7.1.7,\u003C7.4.12|\u003E=6.4.14,\u003C6.4.40|\u003E=5.4.46,\u003C5.4.52","source":"GitHub","reportedAt":"2026-06-09 21:58:11","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fqc7-9xjw-jrh3"}]}],"symfony\/symfony":[{"advisoryId":"PKSA-9crr-v2h4-wg18","packageName":"symfony\/symfony","remoteId":"GHSA-fqc7-9xjw-jrh3","title":"SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV\/APP_DEBUG via parse_str\/SAPI Argv Mismatch","link":"https:\/\/github.com\/advisories\/GHSA-fqc7-9xjw-jrh3","cve":"CVE-2026-47767","affectedVersions":"\u003E=8.0.0,\u003C8.0.12|\u003E=7.1.7,\u003C7.4.12|\u003E=6.4.14,\u003C6.4.40|\u003E=5.4.46,\u003C5.4.52","source":"GitHub","reportedAt":"2026-06-09 21:58:11","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fqc7-9xjw-jrh3"}]},{"advisoryId":"PKSA-bd71-n14y-wh1d","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=5.4.0,\u003C5.4.53|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38cx-cq6f-5755"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48736.yaml"}]},{"advisoryId":"PKSA-qpkt-z1gq-qf6m","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48761.yaml","title":"CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003Cobject\u003E, \u003Capplet\u003E, \u003Ciframe\u003E, \u003Cimg\u003E and the URL Inside \u003Cmeta http-equiv=\u0022refresh\u0022\u003E content","link":"https:\/\/symfony.com\/cve-2026-48761","cve":"CVE-2026-48761","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x5qj-865h-mgvm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48761.yaml"}]},{"advisoryId":"PKSA-nshj-ydrr-y3c1","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48784.yaml","title":"CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `..\/` or `.\/` \u2192 Generated URL Collapses Off-Route Under RFC 3986 Normalization","link":"https:\/\/symfony.com\/cve-2026-48784","cve":"CVE-2026-48784","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5x3-xfc9-m39h"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48784.yaml"}]},{"advisoryId":"PKSA-v1cq-8qyb-2p5n","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48747.yaml","title":"CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade","link":"https:\/\/symfony.com\/cve-2026-48747","cve":"CVE-2026-48747","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rrj9-5q2j-4gvr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48747.yaml"}]},{"advisoryId":"PKSA-gc1j-s49p-r1kv","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48760.yaml","title":"CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense","link":"https:\/\/symfony.com\/cve-2026-48760","cve":"CVE-2026-48760","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v3wm-qf9p-c549"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48760.yaml"}]},{"advisoryId":"PKSA-pjp2-q1z1-mmvn","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48489.yaml","title":"CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes","link":"https:\/\/symfony.com\/cve-2026-48489","cve":"CVE-2026-48489","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6h46-9jf5-q59x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48489.yaml"}]}],"pheditor\/pheditor":[{"advisoryId":"PKSA-5cjp-hkk1-6kzk","packageName":"pheditor\/pheditor","remoteId":"GHSA-jvc5-6g7q-c843","title":"Pheditor: OS Command Injection in terminal handler via unsanitized \u0027dir\u0027 parameter","link":"https:\/\/github.com\/advisories\/GHSA-jvc5-6g7q-c843","cve":"CVE-2026-48030","affectedVersions":"\u003E=2.0.1,\u003C=2.0.3","source":"GitHub","reportedAt":"2026-06-09 22:00:35","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-jvc5-6g7q-c843"}]}],"guzzlehttp\/guzzle-services":[{"advisoryId":"PKSA-39d7-zgf3-b3y1","packageName":"guzzlehttp\/guzzle-services","remoteId":"guzzlehttp\/guzzle-services\/CVE-2026-53723.yaml","title":"XML injection via CDATA terminator in XML request serialization","link":"https:\/\/github.com\/guzzle\/guzzle-services\/security\/advisories\/GHSA-q8r6-5hfw-5jff","cve":"CVE-2026-53723","affectedVersions":"\u003C1.5.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-02 11:38:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q8r6-5hfw-5jff"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle-services\/CVE-2026-53723.yaml"}]}],"codeigniter4\/framework":[{"advisoryId":"PKSA-217t-qqjr-nkt3","packageName":"codeigniter4\/framework","remoteId":"GHSA-2gr4-ppc7-7mhx","title":"CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule","link":"https:\/\/github.com\/advisories\/GHSA-2gr4-ppc7-7mhx","cve":"CVE-2026-48062","affectedVersions":"\u003C4.7.2","source":"GitHub","reportedAt":"2026-06-11 17:16:09","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-2gr4-ppc7-7mhx"}]}],"filament\/actions":[{"advisoryId":"PKSA-ndkp-2znf-9m7c","packageName":"filament\/actions","remoteId":"GHSA-7q3w-xqjw-g3cr","title":"Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields","link":"https:\/\/github.com\/advisories\/GHSA-7q3w-xqjw-g3cr","cve":"CVE-2026-48067","affectedVersions":"\u003E=5.0.0,\u003C=5.6.3|\u003E=4.0.0,\u003C=4.11.3","source":"GitHub","reportedAt":"2026-06-11 20:26:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7q3w-xqjw-g3cr"}]}],"typo3\/cms-core":[{"advisoryId":"PKSA-32mm-z25f-2ysj","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47351.yaml","title":"TYPO3-CORE-SA-2026-014: Broken Access Control in Clipboard","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-014","cve":"CVE-2026-47351","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:00:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q93m-25xv-94hh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47351.yaml"}]},{"advisoryId":"PKSA-q3vc-jr63-rrrj","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-49740.yaml","title":"TYPO3-CORE-SA-2026-018: Insecure Deserialization in Core API","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-018","cve":"CVE-2026-49740","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:03:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c78m-c52x-jgwp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-49740.yaml"}]},{"advisoryId":"PKSA-pg93-52nb-x8ym","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47348.yaml","title":"TYPO3-CORE-SA-2026-010: Cross-Site Scripting in Indexed Search","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-010","cve":"CVE-2026-47348","affectedVersions":"\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:57:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cg75-qfg2-w9hj"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47348.yaml"}]},{"advisoryId":"PKSA-gj1k-954p-nhmk","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-49738.yaml","title":"TYPO3-CORE-SA-2026-016: Broken Access Control in File Abstraction Layer","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-016","cve":"CVE-2026-49738","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:01:48","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jf56-v8jc-jcc5"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-49738.yaml"}]},{"advisoryId":"PKSA-gr4f-6g49-cg8v","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47352.yaml","title":"TYPO3-CORE-SA-2026-015: Broken Access Control in Backend API","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-015","cve":"CVE-2026-47352","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:01:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2j54-93q2-3hjq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47352.yaml"}]},{"advisoryId":"PKSA-6jfs-jhtj-72x7","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47346.yaml","title":"TYPO3-CORE-SA-2026-008: Broken Access Control in Form Framework","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-008","cve":"CVE-2026-47346","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:56:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hwvq-2w67-rvxp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47346.yaml"}]},{"advisoryId":"PKSA-2yr3-by9d-r1gh","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-11607.yaml","title":"TYPO3-CORE-SA-2026-019: Broken Access Control in Form Framework","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-019","cve":"CVE-2026-11607","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:06:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pjpj-v387-x4vq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-11607.yaml"}]},{"advisoryId":"PKSA-bzt2-2962-49bj","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47349.yaml","title":"TYPO3-CORE-SA-2026-011: Broken Access Control in Recycler","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-011","cve":"CVE-2026-47349","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:58:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f34x-rx2w-7pm3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47349.yaml"}]},{"advisoryId":"PKSA-vbrn-fwpj-xmx5","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-49742.yaml","title":"TYPO3-CORE-SA-2026-013: Broken Access Control in Media Module","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-013","cve":"CVE-2026-49742","affectedVersions":"\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:59:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-chm7-4vch-h8vr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-49742.yaml"}]},{"advisoryId":"PKSA-s3vj-chpj-8wrn","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47347.yaml","title":"TYPO3-CORE-SA-2026-009: Open Redirect in TYPO3 CMS","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-009","cve":"CVE-2026-47347","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:57:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3p42-w5ch-gg42"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47347.yaml"}]},{"advisoryId":"PKSA-ghx2-mc2z-fx6x","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47343.yaml","title":"TYPO3-CORE-SA-2026-007: Broken Access Control in File Abstraction Layer","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-007","cve":"CVE-2026-47343","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:55:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3v8v-4wg6-r7qh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47343.yaml"}]},{"advisoryId":"PKSA-vv7s-w171-wb2j","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47350.yaml","title":"TYPO3-CORE-SA-2026-012: Broken Access Control in DataHandler","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-012","cve":"CVE-2026-47350","affectedVersions":"\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:58:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qcmw-6rm2-5x78"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47350.yaml"}]},{"advisoryId":"PKSA-hqhs-7j5f-td2d","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-49741.yaml","title":"TYPO3-CORE-SA-2026-017: Privilege Escalation \u0026amp; SQL Injection in Form Framework","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-017","cve":"CVE-2026-49741","affectedVersions":"\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:02:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jh32-v29g-68pq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-49741.yaml"}]}],"typo3\/html-sanitizer":[{"advisoryId":"PKSA-7jn3-yc49-35c6","packageName":"typo3\/html-sanitizer","remoteId":"typo3\/html-sanitizer\/CVE-2026-47345.yaml","title":"TYPO3-CORE-SA-2026-006: TYPO3 HTML Sanitizer allows Cross-Site Scripting","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-006","cve":"CVE-2026-47345","affectedVersions":"\u003C2.3.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-08 20:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-p5j5-4j3q-8mq8"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/html-sanitizer\/CVE-2026-47345.yaml"}]},{"advisoryId":"PKSA-5mxx-9w1m-fqfb","packageName":"typo3\/html-sanitizer","remoteId":"typo3\/html-sanitizer\/CVE-2026-47344.yaml","title":"TYPO3-CORE-SA-2026-006: TYPO3 HTML Sanitizer allows Cross-Site Scripting","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-006","cve":"CVE-2026-47344","affectedVersions":"\u003C2.3.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-08 20:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jvf5-rxvv-3mcg"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/html-sanitizer\/CVE-2026-47344.yaml"}]}],"shopware\/shopware":[{"advisoryId":"PKSA-62rz-jzfj-ym5j","packageName":"shopware\/shopware","remoteId":"GHSA-3pcr-4982-548m","title":"Exposure of .env if project root is configured as web root in shopware\/production","link":"https:\/\/github.com\/advisories\/GHSA-3pcr-4982-548m","cve":null,"affectedVersions":"\u003C=6.3.5.2","source":"GitHub","reportedAt":"2021-04-13 15:13:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3pcr-4982-548m"}]}],"phpoffice\/phpspreadsheet":[{"advisoryId":"PKSA-x678-4z45-v3d5","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-87m4-826x-3crx","title":"PHPSpreadsheet has a patch bypass for CVE-2026-34084 ","link":"https:\/\/github.com\/advisories\/GHSA-87m4-826x-3crx","cve":"CVE-2026-45034","affectedVersions":"\u003C=1.30.4","source":"GitHub","reportedAt":"2026-06-08 23:00:14","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-87m4-826x-3crx"}]},{"advisoryId":"PKSA-v15t-c7gz-7kpt","packageName":"phpoffice\/phpspreadsheet","remoteId":"phpoffice\/phpspreadsheet\/CVE-2018-19277.yaml","title":"XXE Vulnerability","link":"https:\/\/github.com\/PHPOffice\/PhpSpreadsheet\/issues\/771","cve":"CVE-2018-19277","affectedVersions":"\u003C1.5.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2018-11-20 19:50:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xcrg-29h7-h4cj"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"phpoffice\/phpspreadsheet\/CVE-2018-19277.yaml"}]}],"poweradmin\/poweradmin":[{"advisoryId":"PKSA-8yh4-2h9f-995z","packageName":"poweradmin\/poweradmin","remoteId":"GHSA-3h6h-67x3-cv5x","title":"Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications","link":"https:\/\/github.com\/advisories\/GHSA-3h6h-67x3-cv5x","cve":"CVE-2026-47693","affectedVersions":"\u003E=4.3.0,\u003C4.3.3|\u003C4.2.4","source":"GitHub","reportedAt":"2026-06-08 23:04:25","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3h6h-67x3-cv5x"}]}],"shopper\/framework":[{"advisoryId":"PKSA-jg8p-p13z-fkym","packageName":"shopper\/framework","remoteId":"GHSA-h4mp-g9c6-xwph","title":"Shopper: Missing authorization on Product admin Livewire sub-form components","link":"https:\/\/github.com\/advisories\/GHSA-h4mp-g9c6-xwph","cve":"CVE-2026-47742","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:33:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h4mp-g9c6-xwph"}]},{"advisoryId":"PKSA-7v8h-262h-wzkz","packageName":"shopper\/framework","remoteId":"GHSA-fxqw-97cc-7g5c","title":"Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables","link":"https:\/\/github.com\/advisories\/GHSA-fxqw-97cc-7g5c","cve":"CVE-2026-47745","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:34:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fxqw-97cc-7g5c"}]},{"advisoryId":"PKSA-88dm-mp91-mkr8","packageName":"shopper\/framework","remoteId":"GHSA-hr9v-r8r2-hg7j","title":"Shopper: Multiple data integrity and disclosure issues in admin Livewire components","link":"https:\/\/github.com\/advisories\/GHSA-hr9v-r8r2-hg7j","cve":"CVE-2026-47743","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:35:14","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hr9v-r8r2-hg7j"}]},{"advisoryId":"PKSA-5g52-7x8y-w2y1","packageName":"shopper\/framework","remoteId":"GHSA-c3qp-2ggw-xjg7","title":"Shopper: Authorization bypass and RBAC privilege escalation in team settings","link":"https:\/\/github.com\/advisories\/GHSA-c3qp-2ggw-xjg7","cve":"CVE-2026-47744","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:35:51","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-c3qp-2ggw-xjg7"}]},{"advisoryId":"PKSA-vtqh-k648-prz7","packageName":"shopper\/framework","remoteId":"GHSA-f946-9qp6-vgch","title":"shopper\/framework: Authorization bypass in multiple Livewire admin components","link":"https:\/\/github.com\/advisories\/GHSA-f946-9qp6-vgch","cve":"CVE-2026-47740","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-05-18 16:34:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f946-9qp6-vgch"}]}],"tinymce\/tinymce":[{"advisoryId":"PKSA-rf1b-835f-6yyv","packageName":"tinymce\/tinymce","remoteId":"GHSA-q742-qvgc-gc2f","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes","link":"https:\/\/github.com\/advisories\/GHSA-q742-qvgc-gc2f","cve":"CVE-2026-47759","affectedVersions":"\u003E=8.0.0,\u003C8.5.1|\u003E=6.0.0,\u003C7.9.3|\u003C5.11.1","source":"GitHub","reportedAt":"2026-06-05 20:27:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q742-qvgc-gc2f"}]},{"advisoryId":"PKSA-2v47-9p8y-4qt3","packageName":"tinymce\/tinymce","remoteId":"GHSA-v98h-vmpc-fpqv","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments","link":"https:\/\/github.com\/advisories\/GHSA-v98h-vmpc-fpqv","cve":"CVE-2026-47762","affectedVersions":"\u003E=8.0.0,\u003C8.5.1|\u003E=6.0.0,\u003C7.9.3|\u003C5.11.1","source":"GitHub","reportedAt":"2026-06-05 20:29:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-v98h-vmpc-fpqv"}]},{"advisoryId":"PKSA-k4d6-bt7k-7ddp","packageName":"tinymce\/tinymce","remoteId":"GHSA-vg35-5wq7-3x7w","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection","link":"https:\/\/github.com\/advisories\/GHSA-vg35-5wq7-3x7w","cve":"CVE-2026-47761","affectedVersions":"\u003E=8.0.0,\u003C8.5.1|\u003E=6.0.0,\u003C7.9.3|\u003C5.11.1","source":"GitHub","reportedAt":"2026-06-05 20:29:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vg35-5wq7-3x7w"}]},{"advisoryId":"PKSA-fp8q-vmhs-msy9","packageName":"tinymce\/tinymce","remoteId":"GHSA-mh5m-5hw4-5c69","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs","link":"https:\/\/github.com\/advisories\/GHSA-mh5m-5hw4-5c69","cve":"CVE-2026-47760","affectedVersions":"\u003E=6.8.0,\u003C7.1.0","source":"GitHub","reportedAt":"2026-06-05 20:09:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mh5m-5hw4-5c69"}]}],"billabear\/billabear":[{"advisoryId":"PKSA-tks4-h5gc-8mrj","packageName":"billabear\/billabear","remoteId":"GHSA-xp6r-8pcc-xv5p","title":"BillaBear is Vulnerable to SQL Injection in the EventRepository","link":"https:\/\/github.com\/advisories\/GHSA-xp6r-8pcc-xv5p","cve":"CVE-2026-31069","affectedVersions":"\u003C=2025.01.03","source":"GitHub","reportedAt":"2026-05-19 18:32:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xp6r-8pcc-xv5p"}]}],"shopware\/core":[{"advisoryId":"PKSA-yt77-qm1k-2vvb","packageName":"shopware\/core","remoteId":"GHSA-7w52-7jvm-m9vw","title":"Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames","link":"https:\/\/github.com\/advisories\/GHSA-7w52-7jvm-m9vw","cve":"CVE-2026-48011","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-7w52-7jvm-m9vw"}]},{"advisoryId":"PKSA-xknd-fd7t-crfc","packageName":"shopware\/core","remoteId":"GHSA-4x3x-869w-xx3m","title":"Shopware SSO referer trust leading to an arbitrary redirect target","link":"https:\/\/github.com\/advisories\/GHSA-4x3x-869w-xx3m","cve":"CVE-2026-48012","affectedVersions":"\u003E=6.7.3.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:32:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4x3x-869w-xx3m"}]},{"advisoryId":"PKSA-rnpb-7fbj-phyz","packageName":"shopware\/core","remoteId":"GHSA-f8q6-3g5w-jjr6","title":"Shopware: Admin API ACL Bypass in Order State Transition Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-f8q6-3g5w-jjr6","cve":"CVE-2026-48014","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f8q6-3g5w-jjr6"}]},{"advisoryId":"PKSA-y5sy-w7mt-r97k","packageName":"shopware\/core","remoteId":"GHSA-9v5m-39wh-5chq","title":"Shopware: Unauthorized Payment Trigger for Foreign Orders via \/store-api\/handle-payment","link":"https:\/\/github.com\/advisories\/GHSA-9v5m-39wh-5chq","cve":"CVE-2026-48016","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9v5m-39wh-5chq"}]},{"advisoryId":"PKSA-qf56-zbmm-29m8","packageName":"shopware\/core","remoteId":"GHSA-xvhc-gm7j-mhmc","title":"Shopware: Stored XSS via SVG file upload \u2014 no SVG sanitization","link":"https:\/\/github.com\/advisories\/GHSA-xvhc-gm7j-mhmc","cve":"CVE-2026-48015","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:35:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xvhc-gm7j-mhmc"}]},{"advisoryId":"PKSA-9x83-17hb-ky3t","packageName":"shopware\/core","remoteId":"GHSA-gq96-5pfx-f4vc","title":"Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation","link":"https:\/\/github.com\/advisories\/GHSA-gq96-5pfx-f4vc","cve":"CVE-2026-48013","affectedVersions":"\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:36:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gq96-5pfx-f4vc"}]},{"advisoryId":"PKSA-zymb-qg2c-csgb","packageName":"shopware\/core","remoteId":"GHSA-gv8p-48fr-4fxg","title":"Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gv8p-48fr-4fxg","cve":"CVE-2026-48008","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:23:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gv8p-48fr-4fxg"}]},{"advisoryId":"PKSA-946b-qy3w-67d7","packageName":"shopware\/core","remoteId":"GHSA-8v9p-g828-v98f","title":"Shopware: Admin Account Takeover via User Recovery Hash Exposure","link":"https:\/\/github.com\/advisories\/GHSA-8v9p-g828-v98f","cve":"CVE-2026-48009","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:27:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8v9p-g828-v98f"}]},{"advisoryId":"PKSA-fstf-sh35-tmx7","packageName":"shopware\/core","remoteId":"GHSA-v39m-97p8-gqg7","title":"Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts","link":"https:\/\/github.com\/advisories\/GHSA-v39m-97p8-gqg7","cve":"CVE-2026-48010","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:28:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v39m-97p8-gqg7"}]}],"shopware\/platform":[{"advisoryId":"PKSA-xwkj-rryn-xz6v","packageName":"shopware\/platform","remoteId":"GHSA-7w52-7jvm-m9vw","title":"Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames","link":"https:\/\/github.com\/advisories\/GHSA-7w52-7jvm-m9vw","cve":"CVE-2026-48011","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-7w52-7jvm-m9vw"}]},{"advisoryId":"PKSA-54rn-sm9v-17vx","packageName":"shopware\/platform","remoteId":"GHSA-4x3x-869w-xx3m","title":"Shopware SSO referer trust leading to an arbitrary redirect target","link":"https:\/\/github.com\/advisories\/GHSA-4x3x-869w-xx3m","cve":"CVE-2026-48012","affectedVersions":"\u003E=6.7.3.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:32:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4x3x-869w-xx3m"}]},{"advisoryId":"PKSA-1xdm-446c-t7rz","packageName":"shopware\/platform","remoteId":"GHSA-f8q6-3g5w-jjr6","title":"Shopware: Admin API ACL Bypass in Order State Transition Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-f8q6-3g5w-jjr6","cve":"CVE-2026-48014","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f8q6-3g5w-jjr6"}]},{"advisoryId":"PKSA-6c8x-wdsy-zx17","packageName":"shopware\/platform","remoteId":"GHSA-9v5m-39wh-5chq","title":"Shopware: Unauthorized Payment Trigger for Foreign Orders via \/store-api\/handle-payment","link":"https:\/\/github.com\/advisories\/GHSA-9v5m-39wh-5chq","cve":"CVE-2026-48016","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9v5m-39wh-5chq"}]},{"advisoryId":"PKSA-xngt-2zh8-qhq6","packageName":"shopware\/platform","remoteId":"GHSA-xvhc-gm7j-mhmc","title":"Shopware: Stored XSS via SVG file upload \u2014 no SVG sanitization","link":"https:\/\/github.com\/advisories\/GHSA-xvhc-gm7j-mhmc","cve":"CVE-2026-48015","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:35:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xvhc-gm7j-mhmc"}]},{"advisoryId":"PKSA-yg4m-g48j-bdvp","packageName":"shopware\/platform","remoteId":"GHSA-gq96-5pfx-f4vc","title":"Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation","link":"https:\/\/github.com\/advisories\/GHSA-gq96-5pfx-f4vc","cve":"CVE-2026-48013","affectedVersions":"\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:36:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gq96-5pfx-f4vc"}]},{"advisoryId":"PKSA-b8bq-4ngt-d89p","packageName":"shopware\/platform","remoteId":"GHSA-gv8p-48fr-4fxg","title":"Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gv8p-48fr-4fxg","cve":"CVE-2026-48008","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:23:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gv8p-48fr-4fxg"}]},{"advisoryId":"PKSA-tk1x-h875-8y1s","packageName":"shopware\/platform","remoteId":"GHSA-8v9p-g828-v98f","title":"Shopware: Admin Account Takeover via User Recovery Hash Exposure","link":"https:\/\/github.com\/advisories\/GHSA-8v9p-g828-v98f","cve":"CVE-2026-48009","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:27:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8v9p-g828-v98f"}]},{"advisoryId":"PKSA-xbrd-fvys-3t24","packageName":"shopware\/platform","remoteId":"GHSA-v39m-97p8-gqg7","title":"Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts","link":"https:\/\/github.com\/advisories\/GHSA-v39m-97p8-gqg7","cve":"CVE-2026-48010","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:28:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v39m-97p8-gqg7"}]}],"easycorp\/easyadmin-bundle":[{"advisoryId":"PKSA-8yhb-cz5n-f41h","packageName":"easycorp\/easyadmin-bundle","remoteId":"easycorp\/easyadmin-bundle\/GHSA-8559-gwj3-q37r.yaml","title":"Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField","link":"https:\/\/github.com\/EasyCorp\/EasyAdminBundle\/security\/advisories\/GHSA-8559-gwj3-q37r","cve":null,"affectedVersions":"\u003E=5.0.0,\u003C5.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-04 06:43:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"easycorp\/easyadmin-bundle\/GHSA-8559-gwj3-q37r.yaml"}]},{"advisoryId":"PKSA-z6tn-c4hk-yb9y","packageName":"easycorp\/easyadmin-bundle","remoteId":"easycorp\/easyadmin-bundle\/GHSA-2wwr-9x6f-88gp.yaml","title":"Path traversal and reflected XSS in Flag and Icon Twig components","link":"https:\/\/github.com\/EasyCorp\/EasyAdminBundle\/security\/advisories\/GHSA-2wwr-9x6f-88gp","cve":null,"affectedVersions":"\u003E=4.0.0,\u003C4.29.10|\u003E=5.0.0,\u003C5.0.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-28 18:30:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"easycorp\/easyadmin-bundle\/GHSA-2wwr-9x6f-88gp.yaml"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-bhjh-v6gp-f43f","packageName":"froxlor\/froxlor","remoteId":"GHSA-f9rx-7wf7-jr36","title":"Froxlor\u0027s API Authentication bypasses 2FA Authentication","link":"https:\/\/github.com\/advisories\/GHSA-f9rx-7wf7-jr36","cve":"CVE-2026-52793","affectedVersions":"\u003C2.3.7","source":"GitHub","reportedAt":"2026-06-03 21:41:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f9rx-7wf7-jr36"}]},{"advisoryId":"PKSA-jryy-96vk-jczz","packageName":"froxlor\/froxlor","remoteId":"GHSA-37m5-m4q3-fc6x","title":"Froxlor: BIND Zone File Injection via TXT Record Content","link":"https:\/\/github.com\/advisories\/GHSA-37m5-m4q3-fc6x","cve":"CVE-2026-41234","affectedVersions":"\u003C=2.3.6","source":"GitHub","reportedAt":"2026-06-03 21:02:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-37m5-m4q3-fc6x"}]},{"advisoryId":"PKSA-sn72-k1q6-w5r5","packageName":"froxlor\/froxlor","remoteId":"GHSA-j6fm-9rfm-j5hx","title":"Froxlor has an incomplete fix for CVE-2026-30932","link":"https:\/\/github.com\/advisories\/GHSA-j6fm-9rfm-j5hx","cve":"CVE-2026-41237","affectedVersions":"\u003C=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:45:31","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j6fm-9rfm-j5hx"}]}],"backpack\/crud":[{"advisoryId":"PKSA-8yrj-8khf-srxh","packageName":"backpack\/crud","remoteId":"GHSA-m8xx-3x29-84h8","title":"backpack\/crud is vulnerable to Cross-Site Scripting (XSS)","link":"https:\/\/github.com\/advisories\/GHSA-m8xx-3x29-84h8","cve":"CVE-2022-31114","affectedVersions":"\u003C4.0.63|\u003E=4.1.0,\u003C4.1.69|\u003E=5.0.0,\u003C5.0.13","source":"GitHub","reportedAt":"2026-06-03 20:25:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m8xx-3x29-84h8"}]}],"illuminate\/mail":[{"advisoryId":"PKSA-zwc5-qtrz-zm1n","packageName":"illuminate\/mail","remoteId":"illuminate\/mail\/CVE-2026-48019.yaml","title":"Laravel CRLF injection in default email rule","link":"https:\/\/github.com\/laravel\/framework\/security\/advisories\/GHSA-5vg9-5847-vvmq","cve":"CVE-2026-48019","affectedVersions":"\u003E=9.0.0,\u003C10.0.0|\u003E=10.0.0,\u003C11.0.0|\u003E=11.0.0,\u003C12.0.0|\u003E=12.0.0,\u003C12.60.0|\u003E=13.0.0,\u003C13.10.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 18:13:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"illuminate\/mail\/CVE-2026-48019.yaml"}]}],"symfony\/ux-live-component":[{"advisoryId":"PKSA-kwkg-rq7h-gh18","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49208.yaml","title":"symfony\/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-89g7-22c8-3j23","cve":"CVE-2026-49208","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-89g7-22c8-3j23"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49208.yaml"}]},{"advisoryId":"PKSA-tv34-cfvx-rr9r","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49209.yaml","title":"symfony\/ux-live-component Denial of service via unbounded batch action requests","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-mm82-c99c-h2cf","cve":"CVE-2026-49209","affectedVersions":"\u003E=2.5.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-mm82-c99c-h2cf"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49209.yaml"}]},{"advisoryId":"PKSA-ks3q-z9y3-61pz","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49215.yaml","title":"symfony\/ux-live-component CSRF Protection Bypass: Accept Header is CORS-Safelisted","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-4m4j-hmqq-3gxm","cve":"CVE-2026-49215","affectedVersions":"\u003E=2.22.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-4m4j-hmqq-3gxm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49215.yaml"}]},{"advisoryId":"PKSA-87hx-5gp4-x12b","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49210.yaml","title":"symfony\/ux-live-component XSS via attacker-controlled child component tag","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-38x5-rcv4-xf7x","cve":"CVE-2026-49210","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38x5-rcv4-xf7x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49210.yaml"}]},{"advisoryId":"PKSA-wxdb-kw41-yhdy","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49212.yaml","title":"symfony\/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-34w5-c283-j9fg","cve":"CVE-2026-49212","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-34w5-c283-j9fg"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49212.yaml"}]}],"symfony\/ux-autocomplete":[{"advisoryId":"PKSA-q7f1-2s55-5c1z","packageName":"symfony\/ux-autocomplete","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49216.yaml","title":"symfony\/ux-autocomplete XSS via unescaped AJAX response data","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-mwqm-4fw3-cjvr","cve":"CVE-2026-49216","affectedVersions":"\u003E=2.2.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mwqm-4fw3-cjvr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49216.yaml"}]},{"advisoryId":"PKSA-msh7-gxqk-k56q","packageName":"symfony\/ux-autocomplete","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49211.yaml","title":"symfony\/ux-autocomplete Information exposure via unescaped LIKE wildcards in EntitySearchUtil","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-946h-jp5c-8fvh","cve":"CVE-2026-49211","affectedVersions":"\u003E=2.2.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-946h-jp5c-8fvh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49211.yaml"}]}],"symfony\/mailomat-mailer":[{"advisoryId":"PKSA-9y9v-rcsm-h82j","packageName":"symfony\/mailomat-mailer","remoteId":"symfony\/mailomat-mailer\/CVE-2026-48747.yaml","title":"CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade","link":"https:\/\/symfony.com\/cve-2026-48747","cve":"CVE-2026-48747","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rrj9-5q2j-4gvr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailomat-mailer\/CVE-2026-48747.yaml"}]}],"symfony\/http-foundation":[{"advisoryId":"PKSA-y6py-qpv1-h52p","packageName":"symfony\/http-foundation","remoteId":"symfony\/http-foundation\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38cx-cq6f-5755"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-foundation\/CVE-2026-48736.yaml"}]}],"symfony\/security-http":[{"advisoryId":"PKSA-c28x-6bj5-8spx","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-48489.yaml","title":"CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes","link":"https:\/\/symfony.com\/cve-2026-48489","cve":"CVE-2026-48489","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6h46-9jf5-q59x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-48489.yaml"}]}],"symfony\/http-client":[{"advisoryId":"PKSA-35by-yxtt-jc85","packageName":"symfony\/http-client","remoteId":"symfony\/http-client\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=5.4.0,\u003C5.4.53","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38cx-cq6f-5755"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-client\/CVE-2026-48736.yaml"}]}],"symfony\/routing":[{"advisoryId":"PKSA-bf7t-jnpz-492k","packageName":"symfony\/routing","remoteId":"symfony\/routing\/CVE-2026-48784.yaml","title":"CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `..\/` or `.\/` \u2192 Generated URL Collapses Off-Route Under RFC 3986 Normalization","link":"https:\/\/symfony.com\/cve-2026-48784","cve":"CVE-2026-48784","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5x3-xfc9-m39h"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/routing\/CVE-2026-48784.yaml"}]}],"symfony\/html-sanitizer":[{"advisoryId":"PKSA-3d8r-4bff-vcj1","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-48761.yaml","title":"CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003Cobject\u003E, \u003Capplet\u003E, \u003Ciframe\u003E, \u003Cimg\u003E and the URL Inside \u003Cmeta http-equiv=\u0022refresh\u0022\u003E content","link":"https:\/\/symfony.com\/cve-2026-48761","cve":"CVE-2026-48761","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x5qj-865h-mgvm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-48761.yaml"}]},{"advisoryId":"PKSA-bvdf-tk8n-sbsf","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-48760.yaml","title":"CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense","link":"https:\/\/symfony.com\/cve-2026-48760","cve":"CVE-2026-48760","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v3wm-qf9p-c549"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-48760.yaml"}]}],"spatie\/schema-org":[{"advisoryId":"PKSA-6mmh-w4kg-c2xp","packageName":"spatie\/schema-org","remoteId":"spatie\/schema-org\/2026-04-20.yaml","title":"Cross-site scripting (XSS) via script break-out in toScript() output","link":"https:\/\/github.com\/spatie\/schema-org\/releases\/tag\/4.0.2","cve":null,"affectedVersions":"\u003E=3.23.1,\u003C3.23.2|\u003E=4.0.0,\u003C4.0.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-20 00:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"spatie\/schema-org\/2026-04-20.yaml"}]}],"tpwd\/ke_search":[{"advisoryId":"PKSA-cy57-p12b-t759","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml","title":"TYPO3-EXT-SA-2026-011: XML External Entity Injection in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46722","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003E=5.0.0,\u003C5.6.2|\u003C4.6.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml"}]},{"advisoryId":"PKSA-ybqg-nm5d-my8d","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml","title":"TYPO3-EXT-SA-2026-011: Path Traversal in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46724","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003E=5.0.0,\u003C5.6.2|\u003C4.6.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml"}]}],"georgringer\/news":[{"advisoryId":"PKSA-grgc-xpj3-tvw1","packageName":"georgringer\/news","remoteId":"georgringer\/news\/CVE-2026-8726.yaml","title":"SQL Injection in extension \u0022News system\u0022 (news)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-010","cve":"CVE-2026-8726","affectedVersions":"\u003C10.0.4|\u003E=11.0.0,\u003C11.4.4|\u003E=12.0.0,\u003C12.3.2|\u003E=13.0.0,\u003C13.0.2|\u003E=14.0.0,\u003C14.0.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 12:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"georgringer\/news\/CVE-2026-8726.yaml"},{"name":"GitHub","remoteId":"GHSA-g868-j3qm-4j28"}]}],"twig\/twig":[{"advisoryId":"PKSA-wwb1-81rc-pd65","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-47730.yaml","title":"XSS in profiler HtmlDumper via unescaped template and profile names","link":"https:\/\/symfony.com\/cve-2026-47730","cve":"CVE-2026-47730","affectedVersions":"\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-2g2g-8p8h-fgwm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-47730.yaml"}]},{"advisoryId":"PKSA-gw7n-z4yx-7xjt","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-24425.yaml","title":"Possible sandbox bypass when using a source policy","link":"https:\/\/symfony.com\/cve-2026-24425","cve":"CVE-2026-24425","affectedVersions":"\u003E=2.16.0,\u003C3.0.0|\u003E=3.9.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2q52-x2ff-qgfr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-24425.yaml"}]},{"advisoryId":"PKSA-dpx1-78wg-1kqs","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-47732.yaml","title":"Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points","link":"https:\/\/symfony.com\/cve-2026-47732","cve":"CVE-2026-47732","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pr2w-4gpj-cpq4"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-47732.yaml"}]}],"shopper\/cart":[{"advisoryId":"PKSA-92pp-1wvt-fk91","packageName":"shopper\/cart","remoteId":"GHSA-9rh9-hf3w-9fgg","title":"shopper\/framework: Race condition on Discount.usage_limit allows silent over-redemption","link":"https:\/\/github.com\/advisories\/GHSA-9rh9-hf3w-9fgg","cve":"CVE-2026-47741","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-05-18 16:37:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9rh9-hf3w-9fgg"}]}],"ipl\/web":[{"advisoryId":"PKSA-k319-99m7-bjxd","packageName":"ipl\/web","remoteId":"GHSA-55wf-5m3q-6jjf","title":"ipl\/web is vulnerable to reflected XSS by malformed search requests","link":"https:\/\/github.com\/advisories\/GHSA-55wf-5m3q-6jjf","cve":"CVE-2026-42224","affectedVersions":"\u003C=0.10.2|\u003E=0.11.0,\u003C=0.13.0","source":"GitHub","reportedAt":"2026-04-29 21:01:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-55wf-5m3q-6jjf"}]}],"macropay-solutions\/laravel-crud-wizard-free":[{"advisoryId":"PKSA-2qkb-kmvg-dvr2","packageName":"macropay-solutions\/laravel-crud-wizard-free","remoteId":"GHSA-3wgq-h4fr-cwg5","title":"laravel-crud-wizard-free has File Validation Bypass ","link":"https:\/\/github.com\/advisories\/GHSA-3wgq-h4fr-cwg5","cve":null,"affectedVersions":"\u003C3.4.17","source":"GitHub","reportedAt":"2025-03-12 15:56:23","composerRepository":null,"severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3wgq-h4fr-cwg5"}]}],"guzzlehttp\/oauth-subscriber":[{"advisoryId":"PKSA-pg71-gz29-h5sq","packageName":"guzzlehttp\/oauth-subscriber","remoteId":"guzzlehttp\/oauth-subscriber\/CVE-2025-21617.yaml","title":"Insufficient nonce entropy","link":"https:\/\/github.com\/guzzle\/oauth-subscriber\/security\/advisories\/GHSA-237r-r8m4-4q88","cve":"CVE-2025-21617","affectedVersions":"\u003C0.8.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2025-01-06 19:15:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-237r-r8m4-4q88"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/oauth-subscriber\/CVE-2025-21617.yaml"}]}],"knplabs\/knp-snappy":[{"advisoryId":"PKSA-cd3f-fj3y-g547","packageName":"knplabs\/knp-snappy","remoteId":"knplabs\/knp-snappy\/CVE-2023-41330.yaml","title":"Snappy PHAR deserialization vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-92rv-4j2h-8mjj","cve":"CVE-2023-41330","affectedVersions":"\u003C1.4.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2023-09-06 15:24:48","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-92rv-4j2h-8mjj"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"knplabs\/knp-snappy\/CVE-2023-41330.yaml"}]}],"matyhtf\/framework":[{"advisoryId":"PKSA-vwwh-km91-p9cn","packageName":"matyhtf\/framework","remoteId":"matyhtf\/framework\/CVE-2021-43676.yaml","title":"Path manipulation","link":"https:\/\/github.com\/advisories\/GHSA-mh9j-v6mq-pfch","cve":"CVE-2021-43676","affectedVersions":"\u003C3.0.6","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-03-17 16:15:10","composerRepository":null,"severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-mh9j-v6mq-pfch"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"matyhtf\/framework\/CVE-2021-43676.yaml"}]}],"friendsoftypo3\/mediace":[{"advisoryId":"PKSA-h7r9-7xjm-kxrb","packageName":"friendsoftypo3\/mediace","remoteId":"friendsoftypo3\/mediace\/CVE-2020-15086.yaml","title":"Sensitive Information Disclosure in extension \u0022Media Content Element\u0022 (mediace)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2020-014","cve":"CVE-2020-15086","affectedVersions":"\u003E=7.6.2,\u003C7.6.5","source":"FriendsOfPHP\/security-advisories","reportedAt":"2020-07-16 07:31:32","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"friendsoftypo3\/mediace\/CVE-2020-15086.yaml"},{"name":"GitHub","remoteId":"GHSA-4h44-w6fm-548g"}]}],"smarty\/smarty":[{"advisoryId":"PKSA-wc9h-gs49-76tm","packageName":"smarty\/smarty","remoteId":"smarty\/smarty\/CVE-2021-26119.yaml","title":"template_object Sandbox Escape PHP Code Injection","link":"https:\/\/srcincite.io\/blog\/2021\/02\/18\/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html","cve":"CVE-2021-26119","affectedVersions":"\u003C3.1.39","source":"FriendsOfPHP\/security-advisories","reportedAt":"2021-01-24 22:13:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w5hr-jm4j-9jvq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"smarty\/smarty\/CVE-2021-26119.yaml"}]},{"advisoryId":"PKSA-t4kv-1sv2-1mzx","packageName":"smarty\/smarty","remoteId":"smarty\/smarty\/CVE-2021-26120.yaml","title":"Smarty_Internal_Runtime_TplFunction Sandbox Escape PHP Code Injection","link":"https:\/\/srcincite.io\/blog\/2021\/02\/18\/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html","cve":"CVE-2021-26120","affectedVersions":"\u003C3.1.39","source":"FriendsOfPHP\/security-advisories","reportedAt":"2021-01-24 22:44:07","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-3rpf-5rqv-689q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"smarty\/smarty\/CVE-2021-26120.yaml"}]}],"cartalyst\/sentry":[{"advisoryId":"PKSA-p714-559s-qh89","packageName":"cartalyst\/sentry","remoteId":"cartalyst\/sentry\/2016-09-05.yaml","title":"Null reset codes were allowed","link":"https:\/\/haxx.ml\/post\/149975211631\/how-i-hacked-your-cfp-and-probably-some-other","cve":null,"affectedVersions":"\u003C2.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-09-05 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"cartalyst\/sentry\/2016-09-05.yaml"},{"name":"GitHub","remoteId":"GHSA-2m5g-8xpw-42vp"}]}],"doctrine\/doctrine-module":[{"advisoryId":"PKSA-hmqc-47pt-5r54","packageName":"doctrine\/doctrine-module","remoteId":"doctrine\/doctrine-module\/2013-05-16.yaml","title":"Authentication Vulnerability - possible attempt to login via zero-valued password credential","link":"https:\/\/github.com\/doctrine\/DoctrineModule\/issues\/249","cve":null,"affectedVersions":"\u003C0.7.2|\u003C0.7.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2013-05-16 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"doctrine\/doctrine-module\/2013-05-16.yaml"},{"name":"GitHub","remoteId":"GHSA-9wv8-3h8h-x2wc"}]}],"propel\/propel":[{"advisoryId":"PKSA-7tyg-2kv3-kq8f","packageName":"propel\/propel","remoteId":"propel\/propel\/2018-02-14.yaml","title":"SQL injection possible with limit() on MySQL","link":"https:\/\/github.com\/propelorm\/Propel2\/issues\/1463","cve":null,"affectedVersions":"\u003E=2.0.0-alpha1,\u003C2.0.0-alpha8","source":"FriendsOfPHP\/security-advisories","reportedAt":"2018-02-14 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-7vw7-qx38-37vr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"propel\/propel\/2018-02-14.yaml"}]}],"propel\/propel1":[{"advisoryId":"PKSA-8rvz-ck9f-yjrd","packageName":"propel\/propel1","remoteId":"propel\/propel1\/2018-02-14.yaml","title":"SQL injection possible with limit() on MySQL","link":"https:\/\/github.com\/propelorm\/Propel\/issues\/1052","cve":null,"affectedVersions":"\u003E=1,\u003C1.7.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2018-02-14 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-7g7c-qhf3-x59p"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"propel\/propel1\/2018-02-14.yaml"}]}],"codeigniter\/framework":[{"advisoryId":"PKSA-9441-xhqz-8m7y","packageName":"codeigniter\/framework","remoteId":"codeigniter\/framework\/2016-07-26-1.yaml","title":"Critical SQL injection bug in the ODBC database driver","link":"https:\/\/forum.codeigniter.com\/thread-65803.html","cve":null,"affectedVersions":"\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-07-26 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"codeigniter\/framework\/2016-07-26-1.yaml"},{"name":"GitHub","remoteId":"GHSA-27qr-636m-wxg2"}]}],"silverstripe\/forum":[{"advisoryId":"PKSA-schn-2b2h-yczz","packageName":"silverstripe\/forum","remoteId":"silverstripe\/forum\/SS-2015-017-1.yaml","title":"SS-2015-017: Forum Module CSRF Vulnerability","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-017\/","cve":null,"affectedVersions":"\u003C0.6.2|\u003E=0.7.0,\u003C0.7.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-09-14 10:38:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w8fq-xgvh-cxc2"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/forum\/SS-2015-017-1.yaml"}]}],"gree\/jose":[{"advisoryId":"PKSA-2q89-6yb3-gktz","packageName":"gree\/jose","remoteId":"gree\/jose\/2016-08-30.yaml","title":"Critical vulnerabilities in JSON Web Token libraries","link":"https:\/\/auth0.com\/blog\/critical-vulnerabilities-in-json-web-token-libraries\/","cve":null,"affectedVersions":"\u003C2.2.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-08-30 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9gxv-x7rp-r2hc"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"gree\/jose\/2016-08-30.yaml"}]}],"cart2quote\/module-quotation":[{"advisoryId":"PKSA-wnmd-jkgg-b2hj","packageName":"cart2quote\/module-quotation","remoteId":"cart2quote\/module-quotation\/2017-02-01.yaml","title":"Remote Code Execution in Qquoteadv\/controllers\/DownloadController.php","link":"https:\/\/cart2quote.zendesk.com\/hc\/en-us\/articles\/115000616303--FIXED-Security-Vulnerability-in-downloadCustomOptionAction","cve":null,"affectedVersions":"\u003E=4.1.6,\u003C4.4.6|\u003E=5.0.0,\u003C5.4.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2017-02-01 00:00:00","composerRepository":null,"severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"cart2quote\/module-quotation\/2017-02-01.yaml"}]}],"composer\/composer":[{"advisoryId":"PKSA-qx8p-c3v3-6yfg","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2015-8371.yaml","title":"Composer Cache Injection vulnerability","link":"http:\/\/flyingmana.de\/blog_en\/2016\/02\/14\/composer_cache_injection_vulnerability_cve_2015_8371.html","cve":"CVE-2015-8371","affectedVersions":"\u003C1.0.0-beta1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-02-10 14:51:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2015-8371.yaml"},{"name":"GitHub","remoteId":"GHSA-725m-w832-q973"}]}]}}