{"advisories":{"shopper\/framework":[{"advisoryId":"PKSA-jg8p-p13z-fkym","packageName":"shopper\/framework","remoteId":"GHSA-h4mp-g9c6-xwph","title":"Shopper: Missing authorization on Product admin Livewire sub-form components","link":"https:\/\/github.com\/advisories\/GHSA-h4mp-g9c6-xwph","cve":"CVE-2026-47742","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:33:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h4mp-g9c6-xwph"}]},{"advisoryId":"PKSA-7v8h-262h-wzkz","packageName":"shopper\/framework","remoteId":"GHSA-fxqw-97cc-7g5c","title":"Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables","link":"https:\/\/github.com\/advisories\/GHSA-fxqw-97cc-7g5c","cve":"CVE-2026-47745","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:34:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fxqw-97cc-7g5c"}]},{"advisoryId":"PKSA-88dm-mp91-mkr8","packageName":"shopper\/framework","remoteId":"GHSA-hr9v-r8r2-hg7j","title":"Shopper: Multiple data integrity and disclosure issues in admin Livewire components","link":"https:\/\/github.com\/advisories\/GHSA-hr9v-r8r2-hg7j","cve":"CVE-2026-47743","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:35:14","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hr9v-r8r2-hg7j"}]},{"advisoryId":"PKSA-5g52-7x8y-w2y1","packageName":"shopper\/framework","remoteId":"GHSA-c3qp-2ggw-xjg7","title":"Shopper: Authorization bypass and RBAC privilege escalation in team settings","link":"https:\/\/github.com\/advisories\/GHSA-c3qp-2ggw-xjg7","cve":"CVE-2026-47744","affectedVersions":"\u003C2.8.0","source":"GitHub","reportedAt":"2026-06-05 20:35:51","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-c3qp-2ggw-xjg7"}]}],"tinymce\/tinymce":[{"advisoryId":"PKSA-rf1b-835f-6yyv","packageName":"tinymce\/tinymce","remoteId":"GHSA-q742-qvgc-gc2f","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes","link":"https:\/\/github.com\/advisories\/GHSA-q742-qvgc-gc2f","cve":"CVE-2026-47759","affectedVersions":"\u003E=8.0.0,\u003C8.5.1|\u003E=6.0.0,\u003C7.9.3|\u003C5.11.1","source":"GitHub","reportedAt":"2026-06-05 20:27:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q742-qvgc-gc2f"}]},{"advisoryId":"PKSA-2v47-9p8y-4qt3","packageName":"tinymce\/tinymce","remoteId":"GHSA-v98h-vmpc-fpqv","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments","link":"https:\/\/github.com\/advisories\/GHSA-v98h-vmpc-fpqv","cve":"CVE-2026-47762","affectedVersions":"\u003E=8.0.0,\u003C8.5.1|\u003E=6.0.0,\u003C7.9.3|\u003C5.11.1","source":"GitHub","reportedAt":"2026-06-05 20:29:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-v98h-vmpc-fpqv"}]},{"advisoryId":"PKSA-k4d6-bt7k-7ddp","packageName":"tinymce\/tinymce","remoteId":"GHSA-vg35-5wq7-3x7w","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection","link":"https:\/\/github.com\/advisories\/GHSA-vg35-5wq7-3x7w","cve":"CVE-2026-47761","affectedVersions":"\u003E=8.0.0,\u003C8.5.1|\u003E=6.0.0,\u003C7.9.3|\u003C5.11.1","source":"GitHub","reportedAt":"2026-06-05 20:29:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vg35-5wq7-3x7w"}]},{"advisoryId":"PKSA-fp8q-vmhs-msy9","packageName":"tinymce\/tinymce","remoteId":"GHSA-mh5m-5hw4-5c69","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs","link":"https:\/\/github.com\/advisories\/GHSA-mh5m-5hw4-5c69","cve":"CVE-2026-47760","affectedVersions":"\u003E=6.8.0,\u003C7.1.0","source":"GitHub","reportedAt":"2026-06-05 20:09:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mh5m-5hw4-5c69"}]}],"drupal\/core":[{"advisoryId":"PKSA-787q-p7fn-mcw7","packageName":"drupal\/core","remoteId":"GHSA-pw6f-3999-xp7g","title":"Drupal core allows Cross-Site Scripting (XSS)","link":"https:\/\/github.com\/advisories\/GHSA-pw6f-3999-xp7g","cve":"CVE-2026-6367","affectedVersions":"\u003E=11.3.0,\u003C11.3.7","source":"GitHub","reportedAt":"2026-05-20 00:31:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pw6f-3999-xp7g"}]},{"advisoryId":"PKSA-7kyj-yy4m-jzhv","packageName":"drupal\/core","remoteId":"GHSA-f3cj-mjqm-fhvj","title":"Drupal core is Vulnerable to Cross-Site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-f3cj-mjqm-fhvj","cve":"CVE-2026-6365","affectedVersions":"\u003E=11.3.0,\u003C11.3.7|\u003E=11.0.0,\u003C11.2.11|\u003E=10.6.0,\u003C10.6.7|\u003E=8.0.0,\u003C10.5.9","source":"GitHub","reportedAt":"2026-05-20 00:31:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f3cj-mjqm-fhvj"}]},{"advisoryId":"PKSA-j351-xv4b-pryh","packageName":"drupal\/core","remoteId":"GHSA-xmjc-63pr-2mpg","title":"Drupal core allows Object Injection","link":"https:\/\/github.com\/advisories\/GHSA-xmjc-63pr-2mpg","cve":"CVE-2026-6366","affectedVersions":"\u003E=11.3.0,\u003C11.3.7|\u003E=11.0.0,\u003C11.2.11|\u003E=10.6.0,\u003C10.6.7|\u003E=8.0.0,\u003C10.5.9","source":"GitHub","reportedAt":"2026-05-20 00:31:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xmjc-63pr-2mpg"}]}],"billabear\/billabear":[{"advisoryId":"PKSA-tks4-h5gc-8mrj","packageName":"billabear\/billabear","remoteId":"GHSA-xp6r-8pcc-xv5p","title":"BillaBear is Vulnerable to SQL Injection in the EventRepository","link":"https:\/\/github.com\/advisories\/GHSA-xp6r-8pcc-xv5p","cve":"CVE-2026-31069","affectedVersions":"\u003C=2025.01.03","source":"GitHub","reportedAt":"2026-05-19 18:32:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xp6r-8pcc-xv5p"}]}],"shopware\/core":[{"advisoryId":"PKSA-yt77-qm1k-2vvb","packageName":"shopware\/core","remoteId":"GHSA-7w52-7jvm-m9vw","title":"Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames","link":"https:\/\/github.com\/advisories\/GHSA-7w52-7jvm-m9vw","cve":"CVE-2026-48011","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-7w52-7jvm-m9vw"}]},{"advisoryId":"PKSA-xknd-fd7t-crfc","packageName":"shopware\/core","remoteId":"GHSA-4x3x-869w-xx3m","title":"Shopware SSO referer trust leading to an arbitrary redirect target","link":"https:\/\/github.com\/advisories\/GHSA-4x3x-869w-xx3m","cve":"CVE-2026-48012","affectedVersions":"\u003E=6.7.3.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:32:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4x3x-869w-xx3m"}]},{"advisoryId":"PKSA-rnpb-7fbj-phyz","packageName":"shopware\/core","remoteId":"GHSA-f8q6-3g5w-jjr6","title":"Shopware: Admin API ACL Bypass in Order State Transition Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-f8q6-3g5w-jjr6","cve":"CVE-2026-48014","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f8q6-3g5w-jjr6"}]},{"advisoryId":"PKSA-y5sy-w7mt-r97k","packageName":"shopware\/core","remoteId":"GHSA-9v5m-39wh-5chq","title":"Shopware: Unauthorized Payment Trigger for Foreign Orders via \/store-api\/handle-payment","link":"https:\/\/github.com\/advisories\/GHSA-9v5m-39wh-5chq","cve":"CVE-2026-48016","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9v5m-39wh-5chq"}]},{"advisoryId":"PKSA-qf56-zbmm-29m8","packageName":"shopware\/core","remoteId":"GHSA-xvhc-gm7j-mhmc","title":"Shopware: Stored XSS via SVG file upload \u2014 no SVG sanitization","link":"https:\/\/github.com\/advisories\/GHSA-xvhc-gm7j-mhmc","cve":"CVE-2026-48015","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:35:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xvhc-gm7j-mhmc"}]},{"advisoryId":"PKSA-9x83-17hb-ky3t","packageName":"shopware\/core","remoteId":"GHSA-gq96-5pfx-f4vc","title":"Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation","link":"https:\/\/github.com\/advisories\/GHSA-gq96-5pfx-f4vc","cve":"CVE-2026-48013","affectedVersions":"\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:36:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gq96-5pfx-f4vc"}]},{"advisoryId":"PKSA-zymb-qg2c-csgb","packageName":"shopware\/core","remoteId":"GHSA-gv8p-48fr-4fxg","title":"Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gv8p-48fr-4fxg","cve":"CVE-2026-48008","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:23:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gv8p-48fr-4fxg"}]},{"advisoryId":"PKSA-946b-qy3w-67d7","packageName":"shopware\/core","remoteId":"GHSA-8v9p-g828-v98f","title":"Shopware: Admin Account Takeover via User Recovery Hash Exposure","link":"https:\/\/github.com\/advisories\/GHSA-8v9p-g828-v98f","cve":"CVE-2026-48009","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:27:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8v9p-g828-v98f"}]},{"advisoryId":"PKSA-fstf-sh35-tmx7","packageName":"shopware\/core","remoteId":"GHSA-v39m-97p8-gqg7","title":"Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts","link":"https:\/\/github.com\/advisories\/GHSA-v39m-97p8-gqg7","cve":"CVE-2026-48010","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:28:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v39m-97p8-gqg7"}]}],"shopware\/platform":[{"advisoryId":"PKSA-xwkj-rryn-xz6v","packageName":"shopware\/platform","remoteId":"GHSA-7w52-7jvm-m9vw","title":"Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames","link":"https:\/\/github.com\/advisories\/GHSA-7w52-7jvm-m9vw","cve":"CVE-2026-48011","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:31:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-7w52-7jvm-m9vw"}]},{"advisoryId":"PKSA-54rn-sm9v-17vx","packageName":"shopware\/platform","remoteId":"GHSA-4x3x-869w-xx3m","title":"Shopware SSO referer trust leading to an arbitrary redirect target","link":"https:\/\/github.com\/advisories\/GHSA-4x3x-869w-xx3m","cve":"CVE-2026-48012","affectedVersions":"\u003E=6.7.3.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:32:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4x3x-869w-xx3m"}]},{"advisoryId":"PKSA-1xdm-446c-t7rz","packageName":"shopware\/platform","remoteId":"GHSA-f8q6-3g5w-jjr6","title":"Shopware: Admin API ACL Bypass in Order State Transition Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-f8q6-3g5w-jjr6","cve":"CVE-2026-48014","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f8q6-3g5w-jjr6"}]},{"advisoryId":"PKSA-6c8x-wdsy-zx17","packageName":"shopware\/platform","remoteId":"GHSA-9v5m-39wh-5chq","title":"Shopware: Unauthorized Payment Trigger for Foreign Orders via \/store-api\/handle-payment","link":"https:\/\/github.com\/advisories\/GHSA-9v5m-39wh-5chq","cve":"CVE-2026-48016","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:33:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9v5m-39wh-5chq"}]},{"advisoryId":"PKSA-xngt-2zh8-qhq6","packageName":"shopware\/platform","remoteId":"GHSA-xvhc-gm7j-mhmc","title":"Shopware: Stored XSS via SVG file upload \u2014 no SVG sanitization","link":"https:\/\/github.com\/advisories\/GHSA-xvhc-gm7j-mhmc","cve":"CVE-2026-48015","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:35:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xvhc-gm7j-mhmc"}]},{"advisoryId":"PKSA-yg4m-g48j-bdvp","packageName":"shopware\/platform","remoteId":"GHSA-gq96-5pfx-f4vc","title":"Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation","link":"https:\/\/github.com\/advisories\/GHSA-gq96-5pfx-f4vc","cve":"CVE-2026-48013","affectedVersions":"\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:36:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gq96-5pfx-f4vc"}]},{"advisoryId":"PKSA-b8bq-4ngt-d89p","packageName":"shopware\/platform","remoteId":"GHSA-gv8p-48fr-4fxg","title":"Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gv8p-48fr-4fxg","cve":"CVE-2026-48008","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:23:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gv8p-48fr-4fxg"}]},{"advisoryId":"PKSA-tk1x-h875-8y1s","packageName":"shopware\/platform","remoteId":"GHSA-8v9p-g828-v98f","title":"Shopware: Admin Account Takeover via User Recovery Hash Exposure","link":"https:\/\/github.com\/advisories\/GHSA-8v9p-g828-v98f","cve":"CVE-2026-48009","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:27:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8v9p-g828-v98f"}]},{"advisoryId":"PKSA-xbrd-fvys-3t24","packageName":"shopware\/platform","remoteId":"GHSA-v39m-97p8-gqg7","title":"Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts","link":"https:\/\/github.com\/advisories\/GHSA-v39m-97p8-gqg7","cve":"CVE-2026-48010","affectedVersions":"\u003C6.6.10.18|\u003E=6.7.0.0,\u003C6.7.10.1","source":"GitHub","reportedAt":"2026-06-04 19:28:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v39m-97p8-gqg7"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-k9kk-fbnx-923m","packageName":"wwbn\/avideo","remoteId":"GHSA-2fhx-q92v-5fhv","title":"WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)","link":"https:\/\/github.com\/advisories\/GHSA-2fhx-q92v-5fhv","cve":"CVE-2026-49279","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:55:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2fhx-q92v-5fhv"}]},{"advisoryId":"PKSA-s76b-xf2h-zmsc","packageName":"wwbn\/avideo","remoteId":"GHSA-hgjh-6wj8-gcgf","title":"WWBN AVideo: Unauthenticated Reflected XSS via $_GET[\u0027search\u0027] in AVideo YouTubeAPI Gallery Pagination","link":"https:\/\/github.com\/advisories\/GHSA-hgjh-6wj8-gcgf","cve":"CVE-2026-50182","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:55:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hgjh-6wj8-gcgf"}]},{"advisoryId":"PKSA-qfq6-tncf-8grt","packageName":"wwbn\/avideo","remoteId":"GHSA-66q5-cj5g-wrfx","title":"WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section","link":"https:\/\/github.com\/advisories\/GHSA-66q5-cj5g-wrfx","cve":"CVE-2026-50183","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:56:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-66q5-cj5g-wrfx"}]},{"advisoryId":"PKSA-rftd-5wbt-6qx1","packageName":"wwbn\/avideo","remoteId":"GHSA-8whc-2wmv-ww35","title":"WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin","link":"https:\/\/github.com\/advisories\/GHSA-8whc-2wmv-ww35","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:57:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-8whc-2wmv-ww35"}]},{"advisoryId":"PKSA-4cz6-6cfv-8gy3","packageName":"wwbn\/avideo","remoteId":"GHSA-c8h8-vq34-9fw2","title":"WWBN AVideo: Stored XSS via unescaped Gallery category description","link":"https:\/\/github.com\/advisories\/GHSA-c8h8-vq34-9fw2","cve":"CVE-2026-47694","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:46:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c8h8-vq34-9fw2"}]},{"advisoryId":"PKSA-59k2-q697-bf8x","packageName":"wwbn\/avideo","remoteId":"GHSA-9392-pj54-qqf8","title":"WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint","link":"https:\/\/github.com\/advisories\/GHSA-9392-pj54-qqf8","cve":"CVE-2026-47696","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-06-04 18:47:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9392-pj54-qqf8"}]}],"easycorp\/easyadmin-bundle":[{"advisoryId":"PKSA-8yhb-cz5n-f41h","packageName":"easycorp\/easyadmin-bundle","remoteId":"easycorp\/easyadmin-bundle\/GHSA-8559-gwj3-q37r.yaml","title":"Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField","link":"https:\/\/github.com\/EasyCorp\/EasyAdminBundle\/security\/advisories\/GHSA-8559-gwj3-q37r","cve":null,"affectedVersions":"\u003E=5.0.0,\u003C5.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-04 06:43:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"easycorp\/easyadmin-bundle\/GHSA-8559-gwj3-q37r.yaml"}]},{"advisoryId":"PKSA-z6tn-c4hk-yb9y","packageName":"easycorp\/easyadmin-bundle","remoteId":"easycorp\/easyadmin-bundle\/GHSA-2wwr-9x6f-88gp.yaml","title":"Path traversal and reflected XSS in Flag and Icon Twig components","link":"https:\/\/github.com\/EasyCorp\/EasyAdminBundle\/security\/advisories\/GHSA-2wwr-9x6f-88gp","cve":null,"affectedVersions":"\u003E=4.0.0,\u003C4.29.10|\u003E=5.0.0,\u003C5.0.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-28 18:30:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"easycorp\/easyadmin-bundle\/GHSA-2wwr-9x6f-88gp.yaml"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-bhjh-v6gp-f43f","packageName":"froxlor\/froxlor","remoteId":"GHSA-f9rx-7wf7-jr36","title":"Froxlor\u0027s API Authentication bypasses 2FA Authentication","link":"https:\/\/github.com\/advisories\/GHSA-f9rx-7wf7-jr36","cve":null,"affectedVersions":"\u003C2.3.7","source":"GitHub","reportedAt":"2026-06-03 21:41:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f9rx-7wf7-jr36"}]},{"advisoryId":"PKSA-jryy-96vk-jczz","packageName":"froxlor\/froxlor","remoteId":"GHSA-37m5-m4q3-fc6x","title":"Froxlor: BIND Zone File Injection via TXT Record Content","link":"https:\/\/github.com\/advisories\/GHSA-37m5-m4q3-fc6x","cve":"CVE-2026-41234","affectedVersions":"\u003C=2.3.6","source":"GitHub","reportedAt":"2026-06-03 21:02:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-37m5-m4q3-fc6x"}]}],"backpack\/crud":[{"advisoryId":"PKSA-8yrj-8khf-srxh","packageName":"backpack\/crud","remoteId":"GHSA-m8xx-3x29-84h8","title":"backpack\/crud is vulnerable to Cross-Site Scripting (XSS)","link":"https:\/\/github.com\/advisories\/GHSA-m8xx-3x29-84h8","cve":"CVE-2022-31114","affectedVersions":"\u003C4.0.63|\u003E=4.1.0,\u003C4.1.69|\u003E=5.0.0,\u003C5.0.13","source":"GitHub","reportedAt":"2026-06-03 20:25:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m8xx-3x29-84h8"}]}],"laravel\/framework":[{"advisoryId":"PKSA-mdq4-51ck-6kdq","packageName":"laravel\/framework","remoteId":"laravel\/framework\/CVE-2026-48019.yaml","title":"Laravel CRLF injection in default email rule","link":"https:\/\/github.com\/laravel\/framework\/security\/advisories\/GHSA-5vg9-5847-vvmq","cve":"CVE-2026-48019","affectedVersions":"\u003E=9.0.0,\u003C10.0.0|\u003E=10.0.0,\u003C11.0.0|\u003E=11.0.0,\u003C12.0.0|\u003E=12.0.0,\u003C12.60.0|\u003E=13.0.0,\u003C13.10.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 18:13:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"laravel\/framework\/CVE-2026-48019.yaml"}]}],"illuminate\/mail":[{"advisoryId":"PKSA-zwc5-qtrz-zm1n","packageName":"illuminate\/mail","remoteId":"illuminate\/mail\/CVE-2026-48019.yaml","title":"Laravel CRLF injection in default email rule","link":"https:\/\/github.com\/laravel\/framework\/security\/advisories\/GHSA-5vg9-5847-vvmq","cve":"CVE-2026-48019","affectedVersions":"\u003E=9.0.0,\u003C10.0.0|\u003E=10.0.0,\u003C11.0.0|\u003E=11.0.0,\u003C12.0.0|\u003E=12.0.0,\u003C12.60.0|\u003E=13.0.0,\u003C13.10.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 18:13:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"illuminate\/mail\/CVE-2026-48019.yaml"}]}],"spatie\/schema-org":[{"advisoryId":"PKSA-6mmh-w4kg-c2xp","packageName":"spatie\/schema-org","remoteId":"spatie\/schema-org\/2026-04-20.yaml","title":"Cross-site scripting (XSS) via script break-out in toScript() output","link":"https:\/\/github.com\/spatie\/schema-org\/releases\/tag\/4.0.2","cve":null,"affectedVersions":"\u003E=3.23.1,\u003C3.23.2|\u003E=4.0.0,\u003C4.0.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-20 00:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"spatie\/schema-org\/2026-04-20.yaml"}]}],"tpwd\/ke_search":[{"advisoryId":"PKSA-cy57-p12b-t759","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml","title":"TYPO3-EXT-SA-2026-011: XML External Entity Injection in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46722","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003E=5.0.0,\u003C5.6.2|\u003C4.6.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml"}]},{"advisoryId":"PKSA-ybqg-nm5d-my8d","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml","title":"TYPO3-EXT-SA-2026-011: Path Traversal in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46724","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003E=5.0.0,\u003C5.6.2|\u003C4.6.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml"}]}],"georgringer\/news":[{"advisoryId":"PKSA-grgc-xpj3-tvw1","packageName":"georgringer\/news","remoteId":"georgringer\/news\/CVE-2026-8726.yaml","title":"SQL Injection in extension \u0022News system\u0022 (news)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-010","cve":"CVE-2026-8726","affectedVersions":"\u003C10.0.4|\u003E=11.0.0,\u003C11.4.4|\u003E=12.0.0,\u003C12.3.2|\u003E=13.0.0,\u003C13.0.2|\u003E=14.0.0,\u003C14.0.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-19 12:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"georgringer\/news\/CVE-2026-8726.yaml"}]}],"twig\/twig":[{"advisoryId":"PKSA-wwb1-81rc-pd65","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-47730.yaml","title":"XSS in profiler HtmlDumper via unescaped template and profile names","link":"https:\/\/symfony.com\/cve-2026-47730","cve":"CVE-2026-47730","affectedVersions":"\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-2g2g-8p8h-fgwm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-47730.yaml"}]},{"advisoryId":"PKSA-gw7n-z4yx-7xjt","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-24425.yaml","title":"Possible sandbox bypass when using a source policy","link":"https:\/\/symfony.com\/cve-2026-24425","cve":"CVE-2026-24425","affectedVersions":"\u003E=2.16.0,\u003C3.0.0|\u003E=3.9.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2q52-x2ff-qgfr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-24425.yaml"}]},{"advisoryId":"PKSA-dpx1-78wg-1kqs","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-47732.yaml","title":"Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points","link":"https:\/\/symfony.com\/cve-2026-47732","cve":"CVE-2026-47732","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.26.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pr2w-4gpj-cpq4"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-47732.yaml"}]}]}}