{"advisories":{"phpseclib\/phpseclib":[{"advisoryId":"PKSA-432p-hv1d-chf7","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-m557-wrgg-6rp4","title":"phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access","link":"https:\/\/github.com\/advisories\/GHSA-m557-wrgg-6rp4","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C=3.0.53|\u003E=2.0.0,\u003C=2.0.54|\u003E=0.1.1,\u003C=1.0.29","source":"GitHub","reportedAt":"2026-06-16 15:03:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m557-wrgg-6rp4"}]}],"typo3\/cms-recycler":[{"advisoryId":"PKSA-9psw-d46q-t3cr","packageName":"typo3\/cms-recycler","remoteId":"GHSA-f34x-rx2w-7pm3","title":"TYPO3 CMS has Broken Access Control in the Recycler Module","link":"https:\/\/github.com\/advisories\/GHSA-f34x-rx2w-7pm3","cve":"CVE-2026-47349","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51|\u003C10.4.57","source":"GitHub","reportedAt":"2026-06-12 20:08:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f34x-rx2w-7pm3"}]}],"typo3\/cms-form":[{"advisoryId":"PKSA-8hzt-dvj5-mc5s","packageName":"typo3\/cms-form","remoteId":"GHSA-pjpj-v387-x4vq","title":"TYPO3 CMS has Broken Access Control in its Form Framework","link":"https:\/\/github.com\/advisories\/GHSA-pjpj-v387-x4vq","cve":"CVE-2026-11607","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51|\u003C10.4.57","source":"GitHub","reportedAt":"2026-06-12 20:08:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pjpj-v387-x4vq"}]},{"advisoryId":"PKSA-m239-hcqk-kg59","packageName":"typo3\/cms-form","remoteId":"GHSA-hwvq-2w67-rvxp","title":"TYPO3 CMS has Broken Access Control in its Form Framework","link":"https:\/\/github.com\/advisories\/GHSA-hwvq-2w67-rvxp","cve":"CVE-2026-47346","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51|\u003C10.4.57","source":"GitHub","reportedAt":"2026-06-12 19:32:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hwvq-2w67-rvxp"}]},{"advisoryId":"PKSA-w8hs-qvzm-sf5x","packageName":"typo3\/cms-form","remoteId":"GHSA-jh32-v29g-68pq","title":"TYPO3 CMS has Privilege Escalation \u0026 SQL Injection in its Form Framework","link":"https:\/\/github.com\/advisories\/GHSA-jh32-v29g-68pq","cve":"CVE-2026-49741","affectedVersions":"\u003E=14.0.0,\u003C14.3.3","source":"GitHub","reportedAt":"2026-06-12 19:32:22","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jh32-v29g-68pq"}]}],"typo3\/cms-indexed-search":[{"advisoryId":"PKSA-38f7-f61m-dktr","packageName":"typo3\/cms-indexed-search","remoteId":"GHSA-cg75-qfg2-w9hj","title":"TYPO3 CMS has Cross-Site Scripting in Indexed Search","link":"https:\/\/github.com\/advisories\/GHSA-cg75-qfg2-w9hj","cve":"CVE-2026-47348","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31","source":"GitHub","reportedAt":"2026-06-12 19:06:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cg75-qfg2-w9hj"}]}],"typo3\/cms-backend":[{"advisoryId":"PKSA-4mhm-w6hx-yhcy","packageName":"typo3\/cms-backend","remoteId":"GHSA-q93m-25xv-94hh","title":"TYPO3 CMS: Broken Access Control in Media Module","link":"https:\/\/github.com\/advisories\/GHSA-q93m-25xv-94hh","cve":"CVE-2026-47351","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51|\u003C10.4.57","source":"GitHub","reportedAt":"2026-06-12 19:06:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q93m-25xv-94hh"}]},{"advisoryId":"PKSA-gksc-phy8-f181","packageName":"typo3\/cms-backend","remoteId":"GHSA-2j54-93q2-3hjq","title":"TYPO3 CMS has Broken Access Control in Backend API","link":"https:\/\/github.com\/advisories\/GHSA-2j54-93q2-3hjq","cve":"CVE-2026-47352","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51|\u003C10.4.57","source":"GitHub","reportedAt":"2026-06-12 19:08:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2j54-93q2-3hjq"}]}],"typo3\/cms-filelist":[{"advisoryId":"PKSA-br9n-75sp-8dqy","packageName":"typo3\/cms-filelist","remoteId":"GHSA-chm7-4vch-h8vr","title":"TYPO3 CMS has Broken Access Control in its Media Module","link":"https:\/\/github.com\/advisories\/GHSA-chm7-4vch-h8vr","cve":"CVE-2026-49742","affectedVersions":"\u003E=14.0.0,\u003C14.3.3|\u003E=13.0.0,\u003C13.4.31|\u003E=12.0.0,\u003C12.4.46|\u003E=11.0.0,\u003C11.5.51","source":"GitHub","reportedAt":"2026-06-12 19:09:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-chm7-4vch-h8vr"}]}],"grumpydictator\/firefly-iii":[{"advisoryId":"PKSA-197r-m2ry-57db","packageName":"grumpydictator\/firefly-iii","remoteId":"GHSA-6jq6-x4cx-qvcm","title":"Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)","link":"https:\/\/github.com\/advisories\/GHSA-6jq6-x4cx-qvcm","cve":null,"affectedVersions":"\u003C=6.6.2","source":"GitHub","reportedAt":"2026-06-12 15:04:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6jq6-x4cx-qvcm"}]}],"symfony\/runtime":[{"advisoryId":"PKSA-xf5h-y6vg-qj98","packageName":"symfony\/runtime","remoteId":"GHSA-fqc7-9xjw-jrh3","title":"SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV\/APP_DEBUG via parse_str\/SAPI Argv Mismatch","link":"https:\/\/github.com\/advisories\/GHSA-fqc7-9xjw-jrh3","cve":"CVE-2026-47767","affectedVersions":"\u003E=8.0.0,\u003C8.0.12|\u003E=7.1.7,\u003C7.4.12|\u003E=6.4.14,\u003C6.4.40|\u003E=5.4.46,\u003C5.4.52","source":"GitHub","reportedAt":"2026-06-09 21:58:11","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fqc7-9xjw-jrh3"}]}],"symfony\/symfony":[{"advisoryId":"PKSA-9crr-v2h4-wg18","packageName":"symfony\/symfony","remoteId":"GHSA-fqc7-9xjw-jrh3","title":"SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV\/APP_DEBUG via parse_str\/SAPI Argv Mismatch","link":"https:\/\/github.com\/advisories\/GHSA-fqc7-9xjw-jrh3","cve":"CVE-2026-47767","affectedVersions":"\u003E=8.0.0,\u003C8.0.12|\u003E=7.1.7,\u003C7.4.12|\u003E=6.4.14,\u003C6.4.40|\u003E=5.4.46,\u003C5.4.52","source":"GitHub","reportedAt":"2026-06-09 21:58:11","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fqc7-9xjw-jrh3"}]},{"advisoryId":"PKSA-bd71-n14y-wh1d","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=5.4.0,\u003C5.4.53|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38cx-cq6f-5755"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48736.yaml"}]},{"advisoryId":"PKSA-qpkt-z1gq-qf6m","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48761.yaml","title":"CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003Cobject\u003E, \u003Capplet\u003E, \u003Ciframe\u003E, \u003Cimg\u003E and the URL Inside \u003Cmeta http-equiv=\u0022refresh\u0022\u003E content","link":"https:\/\/symfony.com\/cve-2026-48761","cve":"CVE-2026-48761","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x5qj-865h-mgvm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48761.yaml"}]},{"advisoryId":"PKSA-nshj-ydrr-y3c1","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48784.yaml","title":"CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `..\/` or `.\/` \u2192 Generated URL Collapses Off-Route Under RFC 3986 Normalization","link":"https:\/\/symfony.com\/cve-2026-48784","cve":"CVE-2026-48784","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5x3-xfc9-m39h"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48784.yaml"}]},{"advisoryId":"PKSA-v1cq-8qyb-2p5n","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48747.yaml","title":"CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade","link":"https:\/\/symfony.com\/cve-2026-48747","cve":"CVE-2026-48747","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rrj9-5q2j-4gvr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48747.yaml"}]},{"advisoryId":"PKSA-gc1j-s49p-r1kv","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48760.yaml","title":"CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense","link":"https:\/\/symfony.com\/cve-2026-48760","cve":"CVE-2026-48760","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v3wm-qf9p-c549"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48760.yaml"}]},{"advisoryId":"PKSA-pjp2-q1z1-mmvn","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48489.yaml","title":"CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes","link":"https:\/\/symfony.com\/cve-2026-48489","cve":"CVE-2026-48489","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6h46-9jf5-q59x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48489.yaml"}]}],"pheditor\/pheditor":[{"advisoryId":"PKSA-5cjp-hkk1-6kzk","packageName":"pheditor\/pheditor","remoteId":"GHSA-jvc5-6g7q-c843","title":"Pheditor: OS Command Injection in terminal handler via unsanitized \u0027dir\u0027 parameter","link":"https:\/\/github.com\/advisories\/GHSA-jvc5-6g7q-c843","cve":"CVE-2026-48030","affectedVersions":"\u003E=2.0.1,\u003C=2.0.3","source":"GitHub","reportedAt":"2026-06-09 22:00:35","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-jvc5-6g7q-c843"}]}],"guzzlehttp\/psr7":[{"advisoryId":"PKSA-gm5x-j3mz-71n9","packageName":"guzzlehttp\/psr7","remoteId":"GHSA-hq7v-mx3g-29hw","title":"guzzlehttp\/psr7 has CRLF Injection via URI Host Component","link":"https:\/\/github.com\/advisories\/GHSA-hq7v-mx3g-29hw","cve":"CVE-2026-49214","affectedVersions":"\u003C2.10.2","source":"GitHub","reportedAt":"2026-06-11 13:04:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hq7v-mx3g-29hw"}]},{"advisoryId":"PKSA-jj5t-2zs1-dcfm","packageName":"guzzlehttp\/psr7","remoteId":"GHSA-34xg-wgjx-8xph","title":"guzzlehttp\/psr7 has Host Confusion via Authority Reinterpretation","link":"https:\/\/github.com\/advisories\/GHSA-34xg-wgjx-8xph","cve":"CVE-2026-48998","affectedVersions":"\u003C2.10.2","source":"GitHub","reportedAt":"2026-06-11 13:04:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-34xg-wgjx-8xph"}]}],"guzzlehttp\/guzzle-services":[{"advisoryId":"PKSA-39d7-zgf3-b3y1","packageName":"guzzlehttp\/guzzle-services","remoteId":"GHSA-q8r6-5hfw-5jff","title":"guzzlehttp\/guzzle-services\u0027 XML Request Serialization Vulnerable to XML Injection via CDATA Terminator","link":"https:\/\/github.com\/advisories\/GHSA-q8r6-5hfw-5jff","cve":"CVE-2026-53723","affectedVersions":"\u003C1.5.4","source":"GitHub","reportedAt":"2026-06-11 13:05:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q8r6-5hfw-5jff"}]}],"codeigniter4\/framework":[{"advisoryId":"PKSA-217t-qqjr-nkt3","packageName":"codeigniter4\/framework","remoteId":"GHSA-2gr4-ppc7-7mhx","title":"CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule","link":"https:\/\/github.com\/advisories\/GHSA-2gr4-ppc7-7mhx","cve":"CVE-2026-48062","affectedVersions":"\u003C4.7.2","source":"GitHub","reportedAt":"2026-06-11 17:16:09","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-2gr4-ppc7-7mhx"}]}],"filament\/tables":[{"advisoryId":"PKSA-w941-zhwq-2wbm","packageName":"filament\/tables","remoteId":"GHSA-7q3w-xqjw-g3cr","title":"Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields","link":"https:\/\/github.com\/advisories\/GHSA-7q3w-xqjw-g3cr","cve":"CVE-2026-48067","affectedVersions":"\u003E=3.0.0,\u003C=3.3.50","source":"GitHub","reportedAt":"2026-06-11 20:26:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7q3w-xqjw-g3cr"}]}],"filament\/actions":[{"advisoryId":"PKSA-ndkp-2znf-9m7c","packageName":"filament\/actions","remoteId":"GHSA-7q3w-xqjw-g3cr","title":"Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields","link":"https:\/\/github.com\/advisories\/GHSA-7q3w-xqjw-g3cr","cve":"CVE-2026-48067","affectedVersions":"\u003E=5.0.0,\u003C=5.6.3|\u003E=4.0.0,\u003C=4.11.3","source":"GitHub","reportedAt":"2026-06-11 20:26:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7q3w-xqjw-g3cr"}]}],"typo3\/cms-core":[{"advisoryId":"PKSA-32mm-z25f-2ysj","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47351.yaml","title":"TYPO3-CORE-SA-2026-014: Broken Access Control in Clipboard","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-014","cve":"CVE-2026-47351","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:00:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q93m-25xv-94hh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47351.yaml"}]},{"advisoryId":"PKSA-q3vc-jr63-rrrj","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-49740.yaml","title":"TYPO3-CORE-SA-2026-018: Insecure Deserialization in Core API","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-018","cve":"CVE-2026-49740","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:03:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c78m-c52x-jgwp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-49740.yaml"}]},{"advisoryId":"PKSA-pg93-52nb-x8ym","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47348.yaml","title":"TYPO3-CORE-SA-2026-010: Cross-Site Scripting in Indexed Search","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-010","cve":"CVE-2026-47348","affectedVersions":"\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:57:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cg75-qfg2-w9hj"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47348.yaml"}]},{"advisoryId":"PKSA-gj1k-954p-nhmk","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-49738.yaml","title":"TYPO3-CORE-SA-2026-016: Broken Access Control in File Abstraction Layer","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-016","cve":"CVE-2026-49738","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:01:48","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jf56-v8jc-jcc5"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-49738.yaml"}]},{"advisoryId":"PKSA-gr4f-6g49-cg8v","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47352.yaml","title":"TYPO3-CORE-SA-2026-015: Broken Access Control in Backend API","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-015","cve":"CVE-2026-47352","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:01:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2j54-93q2-3hjq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47352.yaml"}]},{"advisoryId":"PKSA-6jfs-jhtj-72x7","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47346.yaml","title":"TYPO3-CORE-SA-2026-008: Broken Access Control in Form Framework","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-008","cve":"CVE-2026-47346","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:56:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hwvq-2w67-rvxp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47346.yaml"}]},{"advisoryId":"PKSA-2yr3-by9d-r1gh","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-11607.yaml","title":"TYPO3-CORE-SA-2026-019: Broken Access Control in Form Framework","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-019","cve":"CVE-2026-11607","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:06:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pjpj-v387-x4vq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-11607.yaml"}]},{"advisoryId":"PKSA-bzt2-2962-49bj","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47349.yaml","title":"TYPO3-CORE-SA-2026-011: Broken Access Control in Recycler","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-011","cve":"CVE-2026-47349","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:58:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f34x-rx2w-7pm3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47349.yaml"}]},{"advisoryId":"PKSA-vbrn-fwpj-xmx5","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-49742.yaml","title":"TYPO3-CORE-SA-2026-013: Broken Access Control in Media Module","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-013","cve":"CVE-2026-49742","affectedVersions":"\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:59:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-chm7-4vch-h8vr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-49742.yaml"}]},{"advisoryId":"PKSA-s3vj-chpj-8wrn","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47347.yaml","title":"TYPO3-CORE-SA-2026-009: Open Redirect in TYPO3 CMS","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-009","cve":"CVE-2026-47347","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:57:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3p42-w5ch-gg42"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47347.yaml"}]},{"advisoryId":"PKSA-ghx2-mc2z-fx6x","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47343.yaml","title":"TYPO3-CORE-SA-2026-007: Broken Access Control in File Abstraction Layer","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-007","cve":"CVE-2026-47343","affectedVersions":"\u003C10.4.57|\u003E=11.0.0,\u003C11.5.51|\u003E=12.0.0,\u003C12.4.46|\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:55:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3v8v-4wg6-r7qh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47343.yaml"}]},{"advisoryId":"PKSA-vv7s-w171-wb2j","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-47350.yaml","title":"TYPO3-CORE-SA-2026-012: Broken Access Control in DataHandler","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-012","cve":"CVE-2026-47350","affectedVersions":"\u003E=13.0.0,\u003C13.4.31|\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 08:58:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qcmw-6rm2-5x78"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-47350.yaml"}]},{"advisoryId":"PKSA-hqhs-7j5f-td2d","packageName":"typo3\/cms-core","remoteId":"typo3\/cms-core\/CVE-2026-49741.yaml","title":"TYPO3-CORE-SA-2026-017: Privilege Escalation \u0026amp; SQL Injection in Form Framework","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-017","cve":"CVE-2026-49741","affectedVersions":"\u003E=14.0.0,\u003C14.3.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-09 09:02:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jh32-v29g-68pq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/cms-core\/CVE-2026-49741.yaml"}]}],"typo3\/html-sanitizer":[{"advisoryId":"PKSA-7jn3-yc49-35c6","packageName":"typo3\/html-sanitizer","remoteId":"typo3\/html-sanitizer\/CVE-2026-47345.yaml","title":"TYPO3-CORE-SA-2026-006: TYPO3 HTML Sanitizer allows Cross-Site Scripting","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-006","cve":"CVE-2026-47345","affectedVersions":"\u003C2.3.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-08 20:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-p5j5-4j3q-8mq8"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/html-sanitizer\/CVE-2026-47345.yaml"}]},{"advisoryId":"PKSA-5mxx-9w1m-fqfb","packageName":"typo3\/html-sanitizer","remoteId":"typo3\/html-sanitizer\/CVE-2026-47344.yaml","title":"TYPO3-CORE-SA-2026-006: TYPO3 HTML Sanitizer allows Cross-Site Scripting","link":"https:\/\/typo3.org\/security\/advisory\/typo3-core-sa-2026-006","cve":"CVE-2026-47344","affectedVersions":"\u003C2.3.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-08 20:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jvf5-rxvv-3mcg"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"typo3\/html-sanitizer\/CVE-2026-47344.yaml"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-bhjh-v6gp-f43f","packageName":"froxlor\/froxlor","remoteId":"GHSA-f9rx-7wf7-jr36","title":"Froxlor\u0027s API Authentication bypasses 2FA Authentication","link":"https:\/\/github.com\/advisories\/GHSA-f9rx-7wf7-jr36","cve":"CVE-2026-52793","affectedVersions":"\u003C2.3.7","source":"GitHub","reportedAt":"2026-06-03 21:41:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f9rx-7wf7-jr36"}]},{"advisoryId":"PKSA-sn72-k1q6-w5r5","packageName":"froxlor\/froxlor","remoteId":"GHSA-j6fm-9rfm-j5hx","title":"Froxlor has an incomplete fix for CVE-2026-30932","link":"https:\/\/github.com\/advisories\/GHSA-j6fm-9rfm-j5hx","cve":"CVE-2026-41237","affectedVersions":"\u003C=2.3.6","source":"GitHub","reportedAt":"2026-05-29 15:45:31","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j6fm-9rfm-j5hx"}]}],"symfony\/mailomat-mailer":[{"advisoryId":"PKSA-9y9v-rcsm-h82j","packageName":"symfony\/mailomat-mailer","remoteId":"symfony\/mailomat-mailer\/CVE-2026-48747.yaml","title":"CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade","link":"https:\/\/symfony.com\/cve-2026-48747","cve":"CVE-2026-48747","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rrj9-5q2j-4gvr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailomat-mailer\/CVE-2026-48747.yaml"}]}],"symfony\/http-foundation":[{"advisoryId":"PKSA-y6py-qpv1-h52p","packageName":"symfony\/http-foundation","remoteId":"symfony\/http-foundation\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38cx-cq6f-5755"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-foundation\/CVE-2026-48736.yaml"}]}],"symfony\/security-http":[{"advisoryId":"PKSA-c28x-6bj5-8spx","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-48489.yaml","title":"CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes","link":"https:\/\/symfony.com\/cve-2026-48489","cve":"CVE-2026-48489","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6h46-9jf5-q59x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-48489.yaml"}]}],"symfony\/http-client":[{"advisoryId":"PKSA-35by-yxtt-jc85","packageName":"symfony\/http-client","remoteId":"symfony\/http-client\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=5.4.0,\u003C5.4.53","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38cx-cq6f-5755"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-client\/CVE-2026-48736.yaml"}]}],"symfony\/routing":[{"advisoryId":"PKSA-bf7t-jnpz-492k","packageName":"symfony\/routing","remoteId":"symfony\/routing\/CVE-2026-48784.yaml","title":"CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `..\/` or `.\/` \u2192 Generated URL Collapses Off-Route Under RFC 3986 Normalization","link":"https:\/\/symfony.com\/cve-2026-48784","cve":"CVE-2026-48784","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5x3-xfc9-m39h"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/routing\/CVE-2026-48784.yaml"}]}],"symfony\/html-sanitizer":[{"advisoryId":"PKSA-3d8r-4bff-vcj1","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-48761.yaml","title":"CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003Cobject\u003E, \u003Capplet\u003E, \u003Ciframe\u003E, \u003Cimg\u003E and the URL Inside \u003Cmeta http-equiv=\u0022refresh\u0022\u003E content","link":"https:\/\/symfony.com\/cve-2026-48761","cve":"CVE-2026-48761","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x5qj-865h-mgvm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-48761.yaml"}]},{"advisoryId":"PKSA-bvdf-tk8n-sbsf","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-48760.yaml","title":"CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense","link":"https:\/\/symfony.com\/cve-2026-48760","cve":"CVE-2026-48760","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v3wm-qf9p-c549"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-48760.yaml"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-q6mm-vp1w-mgjs","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9pq7-mfwh-xx2j","title":"phpMyFAQ enables unauthenticated 2FA brute-force attack via \/admin\/check acceptance of arbitrary user-id","link":"https:\/\/github.com\/advisories\/GHSA-9pq7-mfwh-xx2j","cve":"CVE-2026-45010","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:42:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9pq7-mfwh-xx2j"}]},{"advisoryId":"PKSA-n87n-9t5q-zcf5","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-pm8c-3qq3-72w7","title":"phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields","link":"https:\/\/github.com\/advisories\/GHSA-pm8c-3qq3-72w7","cve":"CVE-2026-46359","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:44:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm8c-3qq3-72w7"}]},{"advisoryId":"PKSA-k9ft-9rnh-h8dn","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-99qv-g4x9-mgc3","title":"phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query","link":"https:\/\/github.com\/advisories\/GHSA-99qv-g4x9-mgc3","cve":"CVE-2026-46366","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:45:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-99qv-g4x9-mgc3"}]},{"advisoryId":"PKSA-djzh-dx9x-j5hd","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gh9p-q46p-57g2","title":"phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins","link":"https:\/\/github.com\/advisories\/GHSA-gh9p-q46p-57g2","cve":"CVE-2026-45008","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:47:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gh9p-q46p-57g2"}]},{"advisoryId":"PKSA-trv8-7xnx-t8d9","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-289f-fq7w-6q2w","title":"phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha","link":"https:\/\/github.com\/advisories\/GHSA-289f-fq7w-6q2w","cve":"CVE-2026-46364","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:49:15","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-289f-fq7w-6q2w"}]},{"advisoryId":"PKSA-198b-7kr6-ksdh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-pqh6-8fxf-jx22","title":"phpMyFAQ has stored XSS via | raw Filter in search.twig \u2014 html_entity_decode(strip_tags()) Bypass in Search Result Rendering","link":"https:\/\/github.com\/advisories\/GHSA-pqh6-8fxf-jx22","cve":"CVE-2026-46361","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:31:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pqh6-8fxf-jx22"}]},{"advisoryId":"PKSA-42b7-bh2b-d7nn","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-jrc5-w569-h7h5","title":"phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ","link":"https:\/\/github.com\/advisories\/GHSA-jrc5-w569-h7h5","cve":"CVE-2026-45009","affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:37:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jrc5-w569-h7h5"}]},{"advisoryId":"PKSA-pmsp-dtdj-k1f9","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-rm98-82fr-mcfx","title":"phpMyFAQ\u0027s Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User","link":"https:\/\/github.com\/advisories\/GHSA-rm98-82fr-mcfx","cve":"CVE-2026-45007","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:24:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rm98-82fr-mcfx"}]},{"advisoryId":"PKSA-1zxw-krpv-74xh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9525-27vj-c8r8","title":"phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering","link":"https:\/\/github.com\/advisories\/GHSA-9525-27vj-c8r8","cve":"CVE-2026-46367","affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:10:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9525-27vj-c8r8"}]},{"advisoryId":"PKSA-b77f-s5cd-b1qh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-hpgw-ww76-c68r","title":"phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check","link":"https:\/\/github.com\/advisories\/GHSA-hpgw-ww76-c68r","cve":"CVE-2026-46362","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:11:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hpgw-ww76-c68r"}]},{"advisoryId":"PKSA-jr2y-dd2x-qtks","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-f5p7-2c9q-8896","title":"phpMyFAQ has Stored XSS in FAQ Question\/Answer via Encode-Decode Bypass of removeAttributes() Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-f5p7-2c9q-8896","cve":"CVE-2026-46363","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5p7-2c9q-8896"}]},{"advisoryId":"PKSA-sw8q-jkxw-m11r","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-whqh-9pq5-c7r3","title":"phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-whqh-9pq5-c7r3","cve":"CVE-2026-46360","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-whqh-9pq5-c7r3"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-6pt5-mfr3-5b72","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9pq7-mfwh-xx2j","title":"phpMyFAQ enables unauthenticated 2FA brute-force attack via \/admin\/check acceptance of arbitrary user-id","link":"https:\/\/github.com\/advisories\/GHSA-9pq7-mfwh-xx2j","cve":"CVE-2026-45010","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:42:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9pq7-mfwh-xx2j"}]},{"advisoryId":"PKSA-r4gq-dd3d-gxrj","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-pm8c-3qq3-72w7","title":"phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields","link":"https:\/\/github.com\/advisories\/GHSA-pm8c-3qq3-72w7","cve":"CVE-2026-46359","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:44:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm8c-3qq3-72w7"}]},{"advisoryId":"PKSA-76kk-7mdh-r8h5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-99qv-g4x9-mgc3","title":"phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query","link":"https:\/\/github.com\/advisories\/GHSA-99qv-g4x9-mgc3","cve":"CVE-2026-46366","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:45:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-99qv-g4x9-mgc3"}]},{"advisoryId":"PKSA-tvkw-wcnm-h63h","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-gh9p-q46p-57g2","title":"phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins","link":"https:\/\/github.com\/advisories\/GHSA-gh9p-q46p-57g2","cve":"CVE-2026-45008","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:47:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gh9p-q46p-57g2"}]},{"advisoryId":"PKSA-6nrc-qfr1-rds3","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-289f-fq7w-6q2w","title":"phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha","link":"https:\/\/github.com\/advisories\/GHSA-289f-fq7w-6q2w","cve":"CVE-2026-46364","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:49:15","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-289f-fq7w-6q2w"}]},{"advisoryId":"PKSA-7dk8-b5d5-n9bf","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-pqh6-8fxf-jx22","title":"phpMyFAQ has stored XSS via | raw Filter in search.twig \u2014 html_entity_decode(strip_tags()) Bypass in Search Result Rendering","link":"https:\/\/github.com\/advisories\/GHSA-pqh6-8fxf-jx22","cve":"CVE-2026-46361","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:31:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pqh6-8fxf-jx22"}]},{"advisoryId":"PKSA-v8r2-1321-xzpp","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-jrc5-w569-h7h5","title":"phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ","link":"https:\/\/github.com\/advisories\/GHSA-jrc5-w569-h7h5","cve":"CVE-2026-45009","affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:37:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jrc5-w569-h7h5"}]},{"advisoryId":"PKSA-n88j-cgtd-2fvg","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-rm98-82fr-mcfx","title":"phpMyFAQ\u0027s Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User","link":"https:\/\/github.com\/advisories\/GHSA-rm98-82fr-mcfx","cve":"CVE-2026-45007","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:24:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rm98-82fr-mcfx"}]},{"advisoryId":"PKSA-vm8f-6283-2vfw","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9525-27vj-c8r8","title":"phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering","link":"https:\/\/github.com\/advisories\/GHSA-9525-27vj-c8r8","cve":"CVE-2026-46367","affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:10:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9525-27vj-c8r8"}]},{"advisoryId":"PKSA-8syh-w2cp-tqks","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-hpgw-ww76-c68r","title":"phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check","link":"https:\/\/github.com\/advisories\/GHSA-hpgw-ww76-c68r","cve":"CVE-2026-46362","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:11:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hpgw-ww76-c68r"}]},{"advisoryId":"PKSA-6zc3-3brt-ftsh","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-f5p7-2c9q-8896","title":"phpMyFAQ has Stored XSS in FAQ Question\/Answer via Encode-Decode Bypass of removeAttributes() Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-f5p7-2c9q-8896","cve":"CVE-2026-46363","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5p7-2c9q-8896"}]},{"advisoryId":"PKSA-jn65-sph2-9wn9","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-whqh-9pq5-c7r3","title":"phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-whqh-9pq5-c7r3","cve":"CVE-2026-46360","affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-whqh-9pq5-c7r3"}]}],"ipl\/web":[{"advisoryId":"PKSA-k319-99m7-bjxd","packageName":"ipl\/web","remoteId":"GHSA-55wf-5m3q-6jjf","title":"ipl\/web is vulnerable to reflected XSS by malformed search requests","link":"https:\/\/github.com\/advisories\/GHSA-55wf-5m3q-6jjf","cve":"CVE-2026-42224","affectedVersions":"\u003C=0.10.2|\u003E=0.11.0,\u003C=0.13.0","source":"GitHub","reportedAt":"2026-04-29 21:01:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-55wf-5m3q-6jjf"}]}]}}