{"advisories":{"starcitizenwiki\/embedvideo":[{"advisoryId":"PKSA-wg3k-7dyt-r1n5","packageName":"starcitizenwiki\/embedvideo","remoteId":"GHSA-5c7p-g73q-rpg5","title":"StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled","link":"https:\/\/github.com\/advisories\/GHSA-5c7p-g73q-rpg5","cve":"CVE-2026-55692","affectedVersions":"\u003C=4.0.0","source":"GitHub","reportedAt":"2026-06-19 21:41:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5c7p-g73q-rpg5"}]},{"advisoryId":"PKSA-bvqp-6135-khxc","packageName":"starcitizenwiki\/embedvideo","remoteId":"GHSA-c29q-5xm7-5p62","title":"StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text","link":"https:\/\/github.com\/advisories\/GHSA-c29q-5xm7-5p62","cve":"CVE-2026-55690","affectedVersions":"\u003C=4.0.0","source":"GitHub","reportedAt":"2026-06-19 21:14:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c29q-5xm7-5p62"}]},{"advisoryId":"PKSA-17vj-28c7-d53v","packageName":"starcitizenwiki\/embedvideo","remoteId":"GHSA-7h5p-637f-jfr7","title":"StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template","link":"https:\/\/github.com\/advisories\/GHSA-7h5p-637f-jfr7","cve":"CVE-2026-55691","affectedVersions":"\u003C=4.0.0","source":"GitHub","reportedAt":"2026-06-19 21:15:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7h5p-637f-jfr7"}]}],"craftcms\/cms":[{"advisoryId":"PKSA-5xds-5mf3-ckxn","packageName":"craftcms\/cms","remoteId":"GHSA-c55v-343g-5xff","title":"Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs","link":"https:\/\/github.com\/advisories\/GHSA-c55v-343g-5xff","cve":"CVE-2026-55791","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.18|\u003E=5.0.0-RC1,\u003C5.10","source":"GitHub","reportedAt":"2026-06-19 21:15:19","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-c55v-343g-5xff"}]}],"craftcms\/commerce":[{"advisoryId":"PKSA-3cyb-p9z9-9j9r","packageName":"craftcms\/commerce","remoteId":"GHSA-78vr-q6cf-c7p6","title":"Craft Commerce: Partial Payment Amount Without Lower Bound Validation","link":"https:\/\/github.com\/advisories\/GHSA-78vr-q6cf-c7p6","cve":null,"affectedVersions":"\u003E=4.0.0,\u003C=4.11.1|\u003E=5.0.0,\u003C=5.6.4","source":"GitHub","reportedAt":"2026-06-19 21:15:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-78vr-q6cf-c7p6"}]},{"advisoryId":"PKSA-8pd1-kqxv-12wq","packageName":"craftcms\/commerce","remoteId":"GHSA-h5gm-x9wr-vhcm","title":"Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass","link":"https:\/\/github.com\/advisories\/GHSA-h5gm-x9wr-vhcm","cve":"CVE-2026-55795","affectedVersions":"\u003E=4.0.0,\u003C=4.11.1|\u003E=5.0.0,\u003C=5.6.4","source":"GitHub","reportedAt":"2026-06-19 21:15:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5gm-x9wr-vhcm"}]}],"cotonti\/cotonti":[{"advisoryId":"PKSA-cy3k-vcz8-1k97","packageName":"cotonti\/cotonti","remoteId":"GHSA-hp3v-wp32-953h","title":"Cotonti:  Cross-Site Request Forgery in the Personal File Storage (PFS) module","link":"https:\/\/github.com\/advisories\/GHSA-hp3v-wp32-953h","cve":"CVE-2026-55745","affectedVersions":"\u003C=1.0.0","source":"GitHub","reportedAt":"2026-06-18 12:40:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hp3v-wp32-953h"}]},{"advisoryId":"PKSA-sv92-d57h-xntt","packageName":"cotonti\/cotonti","remoteId":"GHSA-7g3p-35vc-mgjr","title":"Cotonti: Cross-Site Request Forgery in the administration rights handler","link":"https:\/\/github.com\/advisories\/GHSA-7g3p-35vc-mgjr","cve":"CVE-2026-55742","affectedVersions":"\u003C=1.0.0","source":"GitHub","reportedAt":"2026-06-18 12:40:25","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-7g3p-35vc-mgjr"}]},{"advisoryId":"PKSA-4kh8-r3m8-hxqy","packageName":"cotonti\/cotonti","remoteId":"GHSA-86hp-hf3j-3m8r","title":"Cotonti: Stored Cross-Site Scripting in the Personal File Storage (PFS) module","link":"https:\/\/github.com\/advisories\/GHSA-86hp-hf3j-3m8r","cve":"CVE-2026-55746","affectedVersions":"\u003C=1.0.0","source":"GitHub","reportedAt":"2026-06-18 12:40:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-86hp-hf3j-3m8r"}]},{"advisoryId":"PKSA-5cx6-4jyf-9qk9","packageName":"cotonti\/cotonti","remoteId":"GHSA-wx35-cv59-9gwr","title":"Cotonti: Cross-Site Request Forgery in the Personal File Storage (PFS) module","link":"https:\/\/github.com\/advisories\/GHSA-wx35-cv59-9gwr","cve":"CVE-2026-55744","affectedVersions":"\u003C=1.0.0","source":"GitHub","reportedAt":"2026-06-18 12:40:25","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wx35-cv59-9gwr"}]}],"pimcore\/pimcore":[{"advisoryId":"PKSA-6dhb-gq75-qpgr","packageName":"pimcore\/pimcore","remoteId":"GHSA-7p36-fq2r-4h7r","title":"Pimcore CMS Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed","link":"https:\/\/github.com\/advisories\/GHSA-7p36-fq2r-4h7r","cve":"CVE-2026-11407","affectedVersions":"\u003C=12.3.8","source":"GitHub","reportedAt":"2026-06-17 21:34:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7p36-fq2r-4h7r"}]}],"guzzlehttp\/psr7":[{"advisoryId":"PKSA-7qs6-zvnz-h66r","packageName":"guzzlehttp\/psr7","remoteId":"guzzlehttp\/psr7\/CVE-2026-55766.yaml","title":"CRLF injection in HTTP start-line serialization","link":"https:\/\/github.com\/guzzle\/psr7\/security\/advisories\/GHSA-vm85-hxw5-5432","cve":"CVE-2026-55766","affectedVersions":"\u003C2.12.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-18 09:49:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vm85-hxw5-5432"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/psr7\/CVE-2026-55766.yaml"}]},{"advisoryId":"PKSA-gm5x-j3mz-71n9","packageName":"guzzlehttp\/psr7","remoteId":"guzzlehttp\/psr7\/CVE-2026-49214.yaml","title":"CRLF injection via URI host component","link":"https:\/\/github.com\/guzzle\/psr7\/security\/advisories\/GHSA-hq7v-mx3g-29hw","cve":"CVE-2026-49214","affectedVersions":"\u003C2.10.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-25 22:58:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hq7v-mx3g-29hw"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/psr7\/CVE-2026-49214.yaml"}]},{"advisoryId":"PKSA-jj5t-2zs1-dcfm","packageName":"guzzlehttp\/psr7","remoteId":"guzzlehttp\/psr7\/CVE-2026-48998.yaml","title":"Host confusion via authority reinterpretation","link":"https:\/\/github.com\/guzzle\/psr7\/security\/advisories\/GHSA-34xg-wgjx-8xph","cve":"CVE-2026-48998","affectedVersions":"\u003C2.10.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-25 22:58:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-34xg-wgjx-8xph"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/psr7\/CVE-2026-48998.yaml"}]},{"advisoryId":"PKSA-hn62-zkx4-1y5q","packageName":"guzzlehttp\/psr7","remoteId":"guzzlehttp\/psr7\/CVE-2023-29197.yaml","title":"Improper header validation","link":"https:\/\/github.com\/guzzle\/psr7\/security\/advisories\/GHSA-wxmh-65f7-jcvw","cve":"CVE-2023-29197","affectedVersions":"\u003E=2,\u003C2.4.5|\u003C1.9.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2023-04-17 16:00:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wxmh-65f7-jcvw"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/psr7\/CVE-2023-29197.yaml"}]},{"advisoryId":"PKSA-gvzg-s447-b5b5","packageName":"guzzlehttp\/psr7","remoteId":"guzzlehttp\/psr7\/CVE-2022-24775.yaml","title":"Inproper parsing of HTTP headers","link":"https:\/\/github.com\/guzzle\/psr7\/security\/advisories\/GHSA-q7rv-6hp3-vh96","cve":"CVE-2022-24775","affectedVersions":"\u003E=2,\u003C2.1.1|\u003C1.8.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-03-20 13:44:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q7rv-6hp3-vh96"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/psr7\/CVE-2022-24775.yaml"}]}],"guzzlehttp\/guzzle":[{"advisoryId":"PKSA-93qv-9n9h-6k6p","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2026-55767.yaml","title":"Dot-only cookie domains match all hosts","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-cwxw-98qj-8qjx","cve":"CVE-2026-55767","affectedVersions":"\u003C7.12.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-18 14:12:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cwxw-98qj-8qjx"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2026-55767.yaml"}]},{"advisoryId":"PKSA-k22t-f949-t9g6","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2026-55568.yaml","title":"Silent HTTPS proxy downgrade to cleartext","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-wpwq-4j6v-78m3","cve":"CVE-2026-55568","affectedVersions":"\u003C7.12.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-18 14:12:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wpwq-4j6v-78m3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2026-55568.yaml"}]},{"advisoryId":"PKSA-yfw5-9gnj-n2c7","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31091.yaml","title":"Change in port should be considered a change in origin","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-q559-8m2m-g699","cve":"CVE-2022-31091","affectedVersions":"\u003E=7,\u003C7.4.5|\u003E=4,\u003C6.5.8","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-06-20 22:16:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q559-8m2m-g699"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31091.yaml"}]},{"advisoryId":"PKSA-k1b4-kshy-xgbh","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31090.yaml","title":"CURLOPT_HTTPAUTH option not cleared on change of origin","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-25mq-v84q-4j7r","cve":"CVE-2022-31090","affectedVersions":"\u003E=7,\u003C7.4.5|\u003E=4,\u003C6.5.8","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-06-20 22:16:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-25mq-v84q-4j7r"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31090.yaml"}]},{"advisoryId":"PKSA-2z36-j4q9-rsfy","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31043.yaml","title":"Fix failure to strip Authorization header on HTTP downgrade","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-w248-ffj2-4v5q","cve":"CVE-2022-31043","affectedVersions":"\u003E=7,\u003C7.4.4|\u003E=4,\u003C6.5.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-06-09 21:36:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w248-ffj2-4v5q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31043.yaml"}]},{"advisoryId":"PKSA-fvw5-9t6n-nwvr","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31042.yaml","title":"Failure to strip the Cookie header on change in host or HTTP downgrade","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-f2wf-25xc-69c9","cve":"CVE-2022-31042","affectedVersions":"\u003E=7,\u003C7.4.4|\u003E=4,\u003C6.5.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-06-09 21:36:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f2wf-25xc-69c9"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2022-31042.yaml"}]},{"advisoryId":"PKSA-6d8m-6kgw-18zr","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2022-29248.yaml","title":"Cross-domain cookie leakage","link":"https:\/\/github.com\/guzzle\/guzzle\/security\/advisories\/GHSA-cwmx-hcrq-mhc3","cve":"CVE-2022-29248","affectedVersions":"\u003E=7,\u003C7.4.3|\u003E=4,\u003C6.5.6","source":"FriendsOfPHP\/security-advisories","reportedAt":"2022-05-25 13:19:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cwmx-hcrq-mhc3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2022-29248.yaml"}]},{"advisoryId":"PKSA-stmn-hvzq-wph6","packageName":"guzzlehttp\/guzzle","remoteId":"guzzlehttp\/guzzle\/CVE-2016-5385.yaml","title":"HTTP Proxy header vulnerability","link":"https:\/\/github.com\/guzzle\/guzzle\/releases\/tag\/6.2.1","cve":"CVE-2016-5385","affectedVersions":"\u003E=6,\u003C6.2.1|\u003E=4.0.0-rc2,\u003C4.2.4|\u003E=5,\u003C5.3.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-07-15 17:44:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m6ch-gg5f-wxx3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle\/CVE-2016-5385.yaml"}]}],"jleehr\/canto-saas-api":[{"advisoryId":"PKSA-j2jj-8zzq-m6yn","packageName":"jleehr\/canto-saas-api","remoteId":"GHSA-9qfv-wgh2-m6p8","title":"canto-saas-api: Authenticated API requests can be redirected via unencoded path variables","link":"https:\/\/github.com\/advisories\/GHSA-9qfv-wgh2-m6p8","cve":"CVE-2026-55374","affectedVersions":"\u003C=2.0.0","source":"GitHub","reportedAt":"2026-06-19 14:13:55","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9qfv-wgh2-m6p8"}]},{"advisoryId":"PKSA-cgpk-zpcz-kxmr","packageName":"jleehr\/canto-saas-api","remoteId":"GHSA-37pm-83g7-r22v","title":"canto-saas-api: OAuth credentials exposed in URL query string and exception messages","link":"https:\/\/github.com\/advisories\/GHSA-37pm-83g7-r22v","cve":"CVE-2026-55375","affectedVersions":"\u003C=2.0.0","source":"GitHub","reportedAt":"2026-06-19 14:16:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-37pm-83g7-r22v"}]}],"symfony\/ux-icons":[{"advisoryId":"PKSA-2rqz-j593-s85p","packageName":"symfony\/ux-icons","remoteId":"symfony\/ux-icons\/CVE-2026-55877.yaml","title":"symfony\/ux-icons XSS via unsanitized SVG content in local files and Iconify on-demand responses","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-6v8j-33hc-mv84","cve":"CVE-2026-55877","affectedVersions":"\u003E=2.17.0,\u003C2.36.1|\u003E=3.0.0,\u003C3.2.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-19 07:21:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6v8j-33hc-mv84"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-icons\/CVE-2026-55877.yaml"}]}],"symfony\/ux-toolkit":[{"advisoryId":"PKSA-hmn2-9g3k-g9mr","packageName":"symfony\/ux-toolkit","remoteId":"symfony\/ux-toolkit\/CVE-2026-55878.yaml","title":"symfony\/ux-toolkit Path Traversal allows arbitrary file write and read via crafted recipe manifest","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-p9xj-fpr2-jf2q","cve":"CVE-2026-55878","affectedVersions":"\u003E=2.32.0,\u003C2.36.1|\u003E=3.0.0,\u003C3.2.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-19 07:21:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p9xj-fpr2-jf2q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-toolkit\/CVE-2026-55878.yaml"}]}],"web-token\/jwt-experimental":[{"advisoryId":"PKSA-z37k-njn7-w125","packageName":"web-token\/jwt-experimental","remoteId":"GHSA-6vvh-pxr4-25r7","title":"PHP JWT Framework: Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption","link":"https:\/\/github.com\/advisories\/GHSA-6vvh-pxr4-25r7","cve":null,"affectedVersions":"\u003C=4.1.6","source":"GitHub","reportedAt":"2026-06-18 21:08:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6vvh-pxr4-25r7"}]}],"phpbb\/phpbb":[{"advisoryId":"PKSA-k9cm-sh3f-xrxt","packageName":"phpbb\/phpbb","remoteId":"GHSA-7gm6-w7mx-58cr","title":"phpBB has Password Reset Link Poisoning via Host Header injection","link":"https:\/\/github.com\/advisories\/GHSA-7gm6-w7mx-58cr","cve":"CVE-2026-29199","affectedVersions":"=4.0.0-a1|\u003E=3.0.0,\u003C3.3.16","source":"GitHub","reportedAt":"2026-05-04 09:31:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7gm6-w7mx-58cr"}]}],"drupal\/core":[{"advisoryId":"PKSA-h76q-q9b2-4kdc","packageName":"drupal\/core","remoteId":"GHSA-ghwc-95x2-682j","title":"Drupal Core has a SQL Injection issue","link":"https:\/\/github.com\/advisories\/GHSA-ghwc-95x2-682j","cve":"CVE-2026-9082","affectedVersions":"\u003E=11.3.0,\u003C11.3.10|\u003E=11.2.0,\u003C11.2.12|\u003E=11.0.0,\u003C11.1.10|\u003E=10.6.0,\u003C10.6.9|\u003E=10.5.0,\u003C10.5.10|\u003E=8.9.0,\u003C10.4.10","source":"GitHub","reportedAt":"2026-05-20 21:31:32","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-ghwc-95x2-682j"}]}],"getkirby\/cms":[{"advisoryId":"PKSA-4ys7-5twb-r3bn","packageName":"getkirby\/cms","remoteId":"GHSA-23q2-54qv-rq5x","title":"Kirby: `pages.access` permission is not checked in the pages picker for parent pages","link":"https:\/\/github.com\/advisories\/GHSA-23q2-54qv-rq5x","cve":"CVE-2026-49274","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:04:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-23q2-54qv-rq5x"}]},{"advisoryId":"PKSA-hnr2-vddk-p4gy","packageName":"getkirby\/cms","remoteId":"GHSA-rhj6-r49h-5932","title":"Kirby: Self cross-site scripting (self-XSS) in the writer field","link":"https:\/\/github.com\/advisories\/GHSA-rhj6-r49h-5932","cve":"CVE-2026-49276","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:04:41","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rhj6-r49h-5932"}]},{"advisoryId":"PKSA-k11s-611y-v46q","packageName":"getkirby\/cms","remoteId":"GHSA-4v4h-m2qq-ppgw","title":"Kirby: Request header injection in `Http\\Remote`","link":"https:\/\/github.com\/advisories\/GHSA-4v4h-m2qq-ppgw","cve":"CVE-2026-50188","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:04:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4v4h-m2qq-ppgw"}]},{"advisoryId":"PKSA-wps5-gfv8-mm6f","packageName":"getkirby\/cms","remoteId":"GHSA-wr9h-4r83-f4v6","title":"Kirby: Cross-site scripting (XSS) from incomplete HTML\/XML sanitization in `Dom::sanitize()`","link":"https:\/\/github.com\/advisories\/GHSA-wr9h-4r83-f4v6","cve":"CVE-2026-54002","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:04:52","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wr9h-4r83-f4v6"}]},{"advisoryId":"PKSA-h8zr-vfb5-1d5r","packageName":"getkirby\/cms","remoteId":"GHSA-whxw-24jc-cwmv","title":"Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header","link":"https:\/\/github.com\/advisories\/GHSA-whxw-24jc-cwmv","cve":"CVE-2026-54003","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:04:57","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-whxw-24jc-cwmv"}]},{"advisoryId":"PKSA-6sq2-11dh-hkdq","packageName":"getkirby\/cms","remoteId":"GHSA-89cp-7p28-jffg","title":"Kirby: Access to files of top-level drafts is not protected by permissions","link":"https:\/\/github.com\/advisories\/GHSA-89cp-7p28-jffg","cve":"CVE-2026-54004","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:05:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-89cp-7p28-jffg"}]},{"advisoryId":"PKSA-jpkc-34xj-4vfy","packageName":"getkirby\/cms","remoteId":"GHSA-r3w8-2c5r-h9j9","title":"Kirby: `pages.access` permission is not checked in the `site\/find` REST API route","link":"https:\/\/github.com\/advisories\/GHSA-r3w8-2c5r-h9j9","cve":"CVE-2026-54005","affectedVersions":"\u003E=5.0.0-alpha.1,\u003C=5.4.3|\u003C=4.9.3","source":"GitHub","reportedAt":"2026-06-18 15:05:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r3w8-2c5r-h9j9"}]}],"getgrav\/grav":[{"advisoryId":"PKSA-p98m-jfx1-qxw4","packageName":"getgrav\/grav","remoteId":"GHSA-pmf8-g7c8-7v54","title":"Grav: Stored CSS injection via Markdown image ?style=\u2026 reaches MediaObjectTrait::style() \u2014 incomplete patch of GHSA-r7fx-8g49-7hhr","link":"https:\/\/github.com\/advisories\/GHSA-pmf8-g7c8-7v54","cve":"CVE-2026-55890","affectedVersions":"\u003C=2.0.0-rc.8","source":"GitHub","reportedAt":"2026-06-18 14:49:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pmf8-g7c8-7v54"}]},{"advisoryId":"PKSA-wg3b-cs1z-bny5","packageName":"getgrav\/grav","remoteId":"GHSA-2f86-9cp8-6hcf","title":"Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets","link":"https:\/\/github.com\/advisories\/GHSA-2f86-9cp8-6hcf","cve":"CVE-2026-55885","affectedVersions":"\u003C1.7.53","source":"GitHub","reportedAt":"2026-06-18 14:31:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2f86-9cp8-6hcf"}]}],"spomky-labs\/otphp":[{"advisoryId":"PKSA-qv5y-crcz-9nxw","packageName":"spomky-labs\/otphp","remoteId":"spomky-labs\/otphp\/GHSA-2jx3-65f3-xr8r.yaml","title":"Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError","link":"https:\/\/github.com\/Spomky-Labs\/otphp\/security\/advisories\/GHSA-2jx3-65f3-xr8r","cve":null,"affectedVersions":"\u003C11.4.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-31 09:08:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2jx3-65f3-xr8r"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"spomky-labs\/otphp\/GHSA-2jx3-65f3-xr8r.yaml"}]},{"advisoryId":"PKSA-kbc7-dq62-pt7d","packageName":"spomky-labs\/otphp","remoteId":"spomky-labs\/otphp\/GHSA-g7m4-839x-ch6v.yaml","title":"Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation","link":"https:\/\/github.com\/Spomky-Labs\/otphp\/security\/advisories\/GHSA-g7m4-839x-ch6v","cve":null,"affectedVersions":"\u003C11.4.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-31 09:06:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-g7m4-839x-ch6v"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"spomky-labs\/otphp\/GHSA-g7m4-839x-ch6v.yaml"}]}],"web-token\/jwt-framework":[{"advisoryId":"PKSA-815n-fyy9-rqkd","packageName":"web-token\/jwt-framework","remoteId":"web-token\/jwt-framework\/GHSA-3prj-6hqw-cm82.yaml","title":"PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-3prj-6hqw-cm82","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:26:43","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-framework\/GHSA-3prj-6hqw-cm82.yaml"}]},{"advisoryId":"PKSA-m2bn-5kyy-vzsk","packageName":"web-token\/jwt-framework","remoteId":"web-token\/jwt-framework\/GHSA-5739-39v2-5754.yaml","title":"RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher\/Marvin padding oracle","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-5739-39v2-5754","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:27:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3prj-6hqw-cm82"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-framework\/GHSA-5739-39v2-5754.yaml"}]},{"advisoryId":"PKSA-p7vh-1fk6-znth","packageName":"web-token\/jwt-framework","remoteId":"web-token\/jwt-framework\/GHSA-6vvh-pxr4-25r7.yaml","title":"Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-6vvh-pxr4-25r7","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:27:05","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jc38-x7x8-2xc8"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-framework\/GHSA-6vvh-pxr4-25r7.yaml"}]},{"advisoryId":"PKSA-ztxk-m2k2-bkgv","packageName":"web-token\/jwt-framework","remoteId":"web-token\/jwt-framework\/GHSA-jc38-x7x8-2xc8.yaml","title":"JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-jc38-x7x8-2xc8","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:30:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5739-39v2-5754"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-framework\/GHSA-jc38-x7x8-2xc8.yaml"}]}],"web-token\/jwt-library":[{"advisoryId":"PKSA-qw7k-npv6-3pbk","packageName":"web-token\/jwt-library","remoteId":"web-token\/jwt-library\/GHSA-3prj-6hqw-cm82.yaml","title":"PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-3prj-6hqw-cm82","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:26:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6vvh-pxr4-25r7"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-library\/GHSA-3prj-6hqw-cm82.yaml"}]},{"advisoryId":"PKSA-237v-kv6c-dpkr","packageName":"web-token\/jwt-library","remoteId":"web-token\/jwt-library\/GHSA-5739-39v2-5754.yaml","title":"RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher\/Marvin padding oracle","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-5739-39v2-5754","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:27:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3prj-6hqw-cm82"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-library\/GHSA-5739-39v2-5754.yaml"}]},{"advisoryId":"PKSA-66dc-42nb-26yy","packageName":"web-token\/jwt-library","remoteId":"web-token\/jwt-library\/GHSA-6vvh-pxr4-25r7.yaml","title":"Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-6vvh-pxr4-25r7","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:27:05","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jc38-x7x8-2xc8"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-library\/GHSA-6vvh-pxr4-25r7.yaml"}]},{"advisoryId":"PKSA-58h1-qnck-61bt","packageName":"web-token\/jwt-library","remoteId":"web-token\/jwt-library\/GHSA-jc38-x7x8-2xc8.yaml","title":"JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks","link":"https:\/\/github.com\/web-token\/jwt-framework\/security\/advisories\/GHSA-jc38-x7x8-2xc8","cve":null,"affectedVersions":"\u003C3.4.10|\u003E=4.0.0,\u003C4.0.7|\u003E=4.1.0,\u003C4.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-06 16:30:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5739-39v2-5754"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"web-token\/jwt-library\/GHSA-jc38-x7x8-2xc8.yaml"}]}],"mtdowling\/jmespath.php":[{"advisoryId":"PKSA-mnyp-475s-ywph","packageName":"mtdowling\/jmespath.php","remoteId":"mtdowling\/jmespath.php\/CVE-2026-54133.yaml","title":"CompilerRuntime code injection via unescaped function names","link":"https:\/\/github.com\/jmespath\/jmespath.php\/security\/advisories\/GHSA-pcw8-m77r-2528","cve":"CVE-2026-54133","affectedVersions":"\u003C2.9.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-11 10:41:50","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"mtdowling\/jmespath.php\/CVE-2026-54133.yaml"}]}],"cakephp\/authentication":[{"advisoryId":"PKSA-bz6x-t8z8-r26p","packageName":"cakephp\/authentication","remoteId":"GHSA-hhpq-7wg4-36jm","title":"CakePHP Authentication: Open redirect weakness via backslash bypass","link":"https:\/\/github.com\/advisories\/GHSA-hhpq-7wg4-36jm","cve":"CVE-2026-55590","affectedVersions":"\u003E=4.0.0,\u003C4.1.1|\u003C3.3.6","source":"GitHub","reportedAt":"2026-06-17 18:52:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hhpq-7wg4-36jm"}]}],"filament\/forms":[{"advisoryId":"PKSA-n7tx-gkfb-14yj","packageName":"filament\/forms","remoteId":"GHSA-m9cv-24rx-8mv7","title":"Filament: Disabled RichEditor field state can be used for XSS","link":"https:\/\/github.com\/advisories\/GHSA-m9cv-24rx-8mv7","cve":"CVE-2026-55409","affectedVersions":"\u003E=3.0.0,\u003C=3.3.52","source":"GitHub","reportedAt":"2026-06-17 18:41:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m9cv-24rx-8mv7"}]}],"laravel\/framework":[{"advisoryId":"PKSA-3r5d-mb8f-1qw9","packageName":"laravel\/framework","remoteId":"GHSA-5vg9-5847-vvmq","title":"Laravel Framework: CRLF injection in default email rule ","link":"https:\/\/github.com\/advisories\/GHSA-5vg9-5847-vvmq","cve":null,"affectedVersions":"\u003C12.60.0|\u003E=13.0.0,\u003C=13.9.0","source":"GitHub","reportedAt":"2026-06-17 13:53:44","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5vg9-5847-vvmq"}]},{"advisoryId":"PKSA-m5cs-t1y6-qpcs","packageName":"laravel\/framework","remoteId":"GHSA-crmm-hgp2-wgrp","title":"Laravel Framework: Temporary Signed URL Path Confusion","link":"https:\/\/github.com\/advisories\/GHSA-crmm-hgp2-wgrp","cve":null,"affectedVersions":"\u003C12.61.1|\u003E=13.0.0,\u003C13.12.0","source":"GitHub","reportedAt":"2026-06-17 13:54:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-crmm-hgp2-wgrp"}]}],"phpseclib\/phpseclib":[{"advisoryId":"PKSA-432p-hv1d-chf7","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-m557-wrgg-6rp4","title":"phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access","link":"https:\/\/github.com\/advisories\/GHSA-m557-wrgg-6rp4","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C=3.0.53|\u003E=2.0.0,\u003C=2.0.54|\u003E=0.1.1,\u003C=1.0.29","source":"GitHub","reportedAt":"2026-06-16 15:03:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m557-wrgg-6rp4"}]}],"guzzlehttp\/guzzle-services":[{"advisoryId":"PKSA-39d7-zgf3-b3y1","packageName":"guzzlehttp\/guzzle-services","remoteId":"guzzlehttp\/guzzle-services\/CVE-2026-53723.yaml","title":"XML injection via CDATA terminator in XML request serialization","link":"https:\/\/github.com\/guzzle\/guzzle-services\/security\/advisories\/GHSA-q8r6-5hfw-5jff","cve":"CVE-2026-53723","affectedVersions":"\u003C1.5.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-06-02 11:38:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q8r6-5hfw-5jff"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/guzzle-services\/CVE-2026-53723.yaml"}]}],"symfony\/ux-live-component":[{"advisoryId":"PKSA-kwkg-rq7h-gh18","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49208.yaml","title":"symfony\/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-89g7-22c8-3j23","cve":"CVE-2026-49208","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-89g7-22c8-3j23"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49208.yaml"}]},{"advisoryId":"PKSA-tv34-cfvx-rr9r","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49209.yaml","title":"symfony\/ux-live-component Denial of service via unbounded batch action requests","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-mm82-c99c-h2cf","cve":"CVE-2026-49209","affectedVersions":"\u003E=2.5.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-mm82-c99c-h2cf"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49209.yaml"}]},{"advisoryId":"PKSA-ks3q-z9y3-61pz","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49215.yaml","title":"symfony\/ux-live-component CSRF Protection Bypass: Accept Header is CORS-Safelisted","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-4m4j-hmqq-3gxm","cve":"CVE-2026-49215","affectedVersions":"\u003E=2.22.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-4m4j-hmqq-3gxm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49215.yaml"}]},{"advisoryId":"PKSA-87hx-5gp4-x12b","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49210.yaml","title":"symfony\/ux-live-component XSS via attacker-controlled child component tag","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-38x5-rcv4-xf7x","cve":"CVE-2026-49210","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38x5-rcv4-xf7x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49210.yaml"}]},{"advisoryId":"PKSA-wxdb-kw41-yhdy","packageName":"symfony\/ux-live-component","remoteId":"symfony\/ux-live-component\/CVE-2026-49212.yaml","title":"symfony\/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-34w5-c283-j9fg","cve":"CVE-2026-49212","affectedVersions":"\u003E=2.8.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-34w5-c283-j9fg"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-live-component\/CVE-2026-49212.yaml"}]}],"symfony\/ux-autocomplete":[{"advisoryId":"PKSA-q7f1-2s55-5c1z","packageName":"symfony\/ux-autocomplete","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49216.yaml","title":"symfony\/ux-autocomplete XSS via unescaped AJAX response data","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-mwqm-4fw3-cjvr","cve":"CVE-2026-49216","affectedVersions":"\u003E=2.2.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mwqm-4fw3-cjvr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49216.yaml"}]},{"advisoryId":"PKSA-msh7-gxqk-k56q","packageName":"symfony\/ux-autocomplete","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49211.yaml","title":"symfony\/ux-autocomplete Information exposure via unescaped LIKE wildcards in EntitySearchUtil","link":"https:\/\/github.com\/symfony\/ux\/security\/advisories\/GHSA-946h-jp5c-8fvh","cve":"CVE-2026-49211","affectedVersions":"\u003E=2.2.0,\u003C2.36.0|\u003E=3.0.0,\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-29 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-946h-jp5c-8fvh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/ux-autocomplete\/CVE-2026-49211.yaml"}]}],"symfony\/mailomat-mailer":[{"advisoryId":"PKSA-9y9v-rcsm-h82j","packageName":"symfony\/mailomat-mailer","remoteId":"symfony\/mailomat-mailer\/CVE-2026-48747.yaml","title":"CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade","link":"https:\/\/symfony.com\/cve-2026-48747","cve":"CVE-2026-48747","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rrj9-5q2j-4gvr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/mailomat-mailer\/CVE-2026-48747.yaml"}]}],"symfony\/http-foundation":[{"advisoryId":"PKSA-y6py-qpv1-h52p","packageName":"symfony\/http-foundation","remoteId":"symfony\/http-foundation\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38cx-cq6f-5755"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-foundation\/CVE-2026-48736.yaml"}]}],"symfony\/symfony":[{"advisoryId":"PKSA-bd71-n14y-wh1d","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=5.4.0,\u003C5.4.53|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38cx-cq6f-5755"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48736.yaml"}]},{"advisoryId":"PKSA-qpkt-z1gq-qf6m","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48761.yaml","title":"CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003Cobject\u003E, \u003Capplet\u003E, \u003Ciframe\u003E, \u003Cimg\u003E and the URL Inside \u003Cmeta http-equiv=\u0022refresh\u0022\u003E content","link":"https:\/\/symfony.com\/cve-2026-48761","cve":"CVE-2026-48761","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x5qj-865h-mgvm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48761.yaml"}]},{"advisoryId":"PKSA-nshj-ydrr-y3c1","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48784.yaml","title":"CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `..\/` or `.\/` \u2192 Generated URL Collapses Off-Route Under RFC 3986 Normalization","link":"https:\/\/symfony.com\/cve-2026-48784","cve":"CVE-2026-48784","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5x3-xfc9-m39h"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48784.yaml"}]},{"advisoryId":"PKSA-v1cq-8qyb-2p5n","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48747.yaml","title":"CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade","link":"https:\/\/symfony.com\/cve-2026-48747","cve":"CVE-2026-48747","affectedVersions":"\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rrj9-5q2j-4gvr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48747.yaml"}]},{"advisoryId":"PKSA-gc1j-s49p-r1kv","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48760.yaml","title":"CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense","link":"https:\/\/symfony.com\/cve-2026-48760","cve":"CVE-2026-48760","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v3wm-qf9p-c549"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48760.yaml"}]},{"advisoryId":"PKSA-pjp2-q1z1-mmvn","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-48489.yaml","title":"CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes","link":"https:\/\/symfony.com\/cve-2026-48489","cve":"CVE-2026-48489","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6h46-9jf5-q59x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-48489.yaml"}]}],"symfony\/security-http":[{"advisoryId":"PKSA-c28x-6bj5-8spx","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-48489.yaml","title":"CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes","link":"https:\/\/symfony.com\/cve-2026-48489","cve":"CVE-2026-48489","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6h46-9jf5-q59x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-48489.yaml"}]}],"symfony\/http-client":[{"advisoryId":"PKSA-35by-yxtt-jc85","packageName":"symfony\/http-client","remoteId":"symfony\/http-client\/CVE-2026-48736.yaml","title":"CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient","link":"https:\/\/symfony.com\/cve-2026-48736","cve":"CVE-2026-48736","affectedVersions":"\u003E=5.4.0,\u003C5.4.53","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38cx-cq6f-5755"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-client\/CVE-2026-48736.yaml"}]}],"symfony\/routing":[{"advisoryId":"PKSA-bf7t-jnpz-492k","packageName":"symfony\/routing","remoteId":"symfony\/routing\/CVE-2026-48784.yaml","title":"CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `..\/` or `.\/` \u2192 Generated URL Collapses Off-Route Under RFC 3986 Normalization","link":"https:\/\/symfony.com\/cve-2026-48784","cve":"CVE-2026-48784","affectedVersions":"\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C4.0.0|\u003E=4.0.0,\u003C5.0.0|\u003E=5.0.0,\u003C5.1.0|\u003E=5.1.0,\u003C5.2.0|\u003E=5.2.0,\u003C5.3.0|\u003E=5.3.0,\u003C5.4.0|\u003E=5.4.0,\u003C5.4.53|\u003E=6.0.0,\u003C6.1.0|\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5x3-xfc9-m39h"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/routing\/CVE-2026-48784.yaml"}]}],"symfony\/html-sanitizer":[{"advisoryId":"PKSA-3d8r-4bff-vcj1","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-48761.yaml","title":"CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003Cobject\u003E, \u003Capplet\u003E, \u003Ciframe\u003E, \u003Cimg\u003E and the URL Inside \u003Cmeta http-equiv=\u0022refresh\u0022\u003E content","link":"https:\/\/symfony.com\/cve-2026-48761","cve":"CVE-2026-48761","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x5qj-865h-mgvm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-48761.yaml"}]},{"advisoryId":"PKSA-bvdf-tk8n-sbsf","packageName":"symfony\/html-sanitizer","remoteId":"symfony\/html-sanitizer\/CVE-2026-48760.yaml","title":"CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense","link":"https:\/\/symfony.com\/cve-2026-48760","cve":"CVE-2026-48760","affectedVersions":"\u003E=6.1.0,\u003C6.2.0|\u003E=6.2.0,\u003C6.3.0|\u003E=6.3.0,\u003C6.4.0|\u003E=6.4.0,\u003C6.4.41|\u003E=7.0.0,\u003C7.1.0|\u003E=7.1.0,\u003C7.2.0|\u003E=7.2.0,\u003C7.3.0|\u003E=7.3.0,\u003C7.4.0|\u003E=7.4.0,\u003C7.4.13|\u003E=8.0.0,\u003C8.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-26 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v3wm-qf9p-c549"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/html-sanitizer\/CVE-2026-48760.yaml"}]}],"guzzlehttp\/oauth-subscriber":[{"advisoryId":"PKSA-pg71-gz29-h5sq","packageName":"guzzlehttp\/oauth-subscriber","remoteId":"guzzlehttp\/oauth-subscriber\/CVE-2025-21617.yaml","title":"Insufficient nonce entropy","link":"https:\/\/github.com\/guzzle\/oauth-subscriber\/security\/advisories\/GHSA-237r-r8m4-4q88","cve":"CVE-2025-21617","affectedVersions":"\u003C0.8.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2025-01-06 19:15:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-237r-r8m4-4q88"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"guzzlehttp\/oauth-subscriber\/CVE-2025-21617.yaml"}]}],"knplabs\/knp-snappy":[{"advisoryId":"PKSA-cd3f-fj3y-g547","packageName":"knplabs\/knp-snappy","remoteId":"knplabs\/knp-snappy\/CVE-2023-41330.yaml","title":"Snappy PHAR deserialization vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-92rv-4j2h-8mjj","cve":"CVE-2023-41330","affectedVersions":"\u003C1.4.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2023-09-06 15:24:48","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-92rv-4j2h-8mjj"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"knplabs\/knp-snappy\/CVE-2023-41330.yaml"}]}],"friendsoftypo3\/mediace":[{"advisoryId":"PKSA-h7r9-7xjm-kxrb","packageName":"friendsoftypo3\/mediace","remoteId":"friendsoftypo3\/mediace\/CVE-2020-15086.yaml","title":"Sensitive Information Disclosure in extension \u0022Media Content Element\u0022 (mediace)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2020-014","cve":"CVE-2020-15086","affectedVersions":"\u003E=7.6.2,\u003C7.6.5","source":"FriendsOfPHP\/security-advisories","reportedAt":"2020-07-16 07:31:32","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"friendsoftypo3\/mediace\/CVE-2020-15086.yaml"},{"name":"GitHub","remoteId":"GHSA-4h44-w6fm-548g"}]}],"smarty\/smarty":[{"advisoryId":"PKSA-wc9h-gs49-76tm","packageName":"smarty\/smarty","remoteId":"smarty\/smarty\/CVE-2021-26119.yaml","title":"template_object Sandbox Escape PHP Code Injection","link":"https:\/\/srcincite.io\/blog\/2021\/02\/18\/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html","cve":"CVE-2021-26119","affectedVersions":"\u003C3.1.39","source":"FriendsOfPHP\/security-advisories","reportedAt":"2021-01-24 22:13:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w5hr-jm4j-9jvq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"smarty\/smarty\/CVE-2021-26119.yaml"}]},{"advisoryId":"PKSA-t4kv-1sv2-1mzx","packageName":"smarty\/smarty","remoteId":"smarty\/smarty\/CVE-2021-26120.yaml","title":"Smarty_Internal_Runtime_TplFunction Sandbox Escape PHP Code Injection","link":"https:\/\/srcincite.io\/blog\/2021\/02\/18\/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html","cve":"CVE-2021-26120","affectedVersions":"\u003C3.1.39","source":"FriendsOfPHP\/security-advisories","reportedAt":"2021-01-24 22:44:07","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-3rpf-5rqv-689q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"smarty\/smarty\/CVE-2021-26120.yaml"}]}],"cartalyst\/sentry":[{"advisoryId":"PKSA-p714-559s-qh89","packageName":"cartalyst\/sentry","remoteId":"cartalyst\/sentry\/2016-09-05.yaml","title":"Null reset codes were allowed","link":"https:\/\/haxx.ml\/post\/149975211631\/how-i-hacked-your-cfp-and-probably-some-other","cve":null,"affectedVersions":"\u003C2.1.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-09-05 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"cartalyst\/sentry\/2016-09-05.yaml"},{"name":"GitHub","remoteId":"GHSA-2m5g-8xpw-42vp"}]}],"doctrine\/doctrine-module":[{"advisoryId":"PKSA-hmqc-47pt-5r54","packageName":"doctrine\/doctrine-module","remoteId":"doctrine\/doctrine-module\/2013-05-16.yaml","title":"Authentication Vulnerability - possible attempt to login via zero-valued password credential","link":"https:\/\/github.com\/doctrine\/DoctrineModule\/issues\/249","cve":null,"affectedVersions":"\u003C0.7.2|\u003C0.7.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2013-05-16 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"doctrine\/doctrine-module\/2013-05-16.yaml"},{"name":"GitHub","remoteId":"GHSA-9wv8-3h8h-x2wc"}]}],"propel\/propel":[{"advisoryId":"PKSA-7tyg-2kv3-kq8f","packageName":"propel\/propel","remoteId":"propel\/propel\/2018-02-14.yaml","title":"SQL injection possible with limit() on MySQL","link":"https:\/\/github.com\/propelorm\/Propel2\/issues\/1463","cve":null,"affectedVersions":"\u003E=2.0.0-alpha1,\u003C2.0.0-alpha8","source":"FriendsOfPHP\/security-advisories","reportedAt":"2018-02-14 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-7vw7-qx38-37vr"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"propel\/propel\/2018-02-14.yaml"}]}],"propel\/propel1":[{"advisoryId":"PKSA-8rvz-ck9f-yjrd","packageName":"propel\/propel1","remoteId":"propel\/propel1\/2018-02-14.yaml","title":"SQL injection possible with limit() on MySQL","link":"https:\/\/github.com\/propelorm\/Propel\/issues\/1052","cve":null,"affectedVersions":"\u003E=1,\u003C1.7.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2018-02-14 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-7g7c-qhf3-x59p"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"propel\/propel1\/2018-02-14.yaml"}]}],"codeigniter\/framework":[{"advisoryId":"PKSA-9441-xhqz-8m7y","packageName":"codeigniter\/framework","remoteId":"codeigniter\/framework\/2016-07-26-1.yaml","title":"Critical SQL injection bug in the ODBC database driver","link":"https:\/\/forum.codeigniter.com\/thread-65803.html","cve":null,"affectedVersions":"\u003C3.1.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-07-26 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"codeigniter\/framework\/2016-07-26-1.yaml"},{"name":"GitHub","remoteId":"GHSA-27qr-636m-wxg2"}]}],"silverstripe\/framework":[{"advisoryId":"PKSA-wt32-ns28-f45d","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-014-1.yaml","title":"SS-2015-014: Vulnerability on \u0027isDev\u0027, \u0027isTest\u0027 and \u0027flush\u0027 $_GET validation","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-014\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.14|\u003E=3.1.0,\u003C3.1.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-05-28 13:05:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-ph62-fv59-vf9h"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-014-1.yaml"}]},{"advisoryId":"PKSA-td9q-mf48-mqpm","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-012-1.yaml","title":"SS-2015-012: External redirection risk in Security?ReturnURL","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-012\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.14|\u003E=3.1.0,\u003C3.1.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-05-25 14:52:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xx4r-5265-48j6"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-012-1.yaml"}]},{"advisoryId":"PKSA-bkm6-5mwx-3kd3","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-011-1.yaml","title":"SS-2015-011: Potential SQL Injection Vulnerability","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-011\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.14|\u003E=3.1.0,\u003C3.1.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-05-25 10:52:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7m2v-x7rg-5hm5"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-011-1.yaml"}]},{"advisoryId":"PKSA-bnbw-tbzq-5ykk","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2016-003-1.yaml","title":"SS-2016-003: Hostname, IP and Protocol Spoofing through HTTP Headers","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2016-003\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.17|\u003E=3.2.0,\u003C3.2.2|\u003E3.2,\u003C3.3.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-02-18 11:05:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r85g-7jpv-8xrx"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2016-003-1.yaml"}]},{"advisoryId":"PKSA-gg94-wpcm-tbtp","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2016-002-1.yaml","title":"SS-2016-002: CSRF vulnerability in GridFieldAddExistingAutocompleter","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2016-002\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.17|\u003E=3.2.0,\u003C3.2.2|\u003E3.2,\u003C3.3.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-02-17 17:50:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g84q-cq55-xwgp"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2016-002-1.yaml"}]},{"advisoryId":"PKSA-z1m7-vnpc-524q","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-009-1.yaml","title":"SS-2015-009: XSS In rewritten hash links","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-009-xss-in-rewritten-hash-links\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.13|\u003E=3.1.0,\u003C3.1.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-03-20 14:57:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-5r8w-66hq-rc39"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-009-1.yaml"}]},{"advisoryId":"PKSA-xhsq-x1jb-f31d","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2014-017-1.yaml","title":"SS-2014-017: XML Quadratic Blowup Attack","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2014-017-xml-quadratic-blowup-attack\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2014-08-12 11:50:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-87pf-7x99-5xc4"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2014-017-1.yaml"}]},{"advisoryId":"PKSA-4b5m-tw4q-3fmq","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-004-1.yaml","title":"SS-2015-004: TreeDropdownField and TreeMultiSelectField XSS","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-004\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-02-12 15:55:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qp29-wcc2-vmpc"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-004-1.yaml"}]},{"advisoryId":"PKSA-dwpn-yczp-hpvw","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2014-015-1.yaml","title":"SS-2014-015: IE requests not properly behaving with rewritehashlinks","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2014-015-ie-requests-not-properly-behaving-with-rewritehashlinks\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.13|\u003E=3.1.0,\u003C3.1.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-03-20 12:10:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-34q6-xqxh-gq39"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2014-015-1.yaml"}]},{"advisoryId":"PKSA-tdvc-fx4y-y9yf","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-028-1.yaml","title":"SS-2015-028: Missing security check on dev\/build\/defaults","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2015-028\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.17|\u003E=3.2.0,\u003C3.2.2|\u003E3.2,\u003C3.3.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-02-17 17:55:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4h54-vwx9-3vr3"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-028-1.yaml"}]},{"advisoryId":"PKSA-r8bz-4tyw-cqq7","packageName":"silverstripe\/framework","remoteId":"silverstripe\/framework\/SS-2015-007-1.yaml","title":"SS-2015-007: XSS In FormAction","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-007\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-02-12 15:55:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-88jp-9jrv-6368"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/framework\/SS-2015-007-1.yaml"}]}],"silverstripe\/forum":[{"advisoryId":"PKSA-schn-2b2h-yczz","packageName":"silverstripe\/forum","remoteId":"silverstripe\/forum\/SS-2015-017-1.yaml","title":"SS-2015-017: Forum Module CSRF Vulnerability","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-017\/","cve":null,"affectedVersions":"\u003C0.6.2|\u003E=0.7.0,\u003C0.7.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-09-14 10:38:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w8fq-xgvh-cxc2"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/forum\/SS-2015-017-1.yaml"}]}],"silverstripe\/cms":[{"advisoryId":"PKSA-pvwk-bm9n-rprc","packageName":"silverstripe\/cms","remoteId":"silverstripe\/cms\/SS-2015-005-1.yaml","title":"SS-2015-005: VirtualPage XSS","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-005\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-02-12 15:55:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3mm9-2p44-rw39"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/cms\/SS-2015-005-1.yaml"}]},{"advisoryId":"PKSA-d3xv-chbr-ng6f","packageName":"silverstripe\/cms","remoteId":"silverstripe\/cms\/SS-2015-003-1.yaml","title":"SS-2015-003: History XSS Vulnerability","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-003\/","cve":null,"affectedVersions":"\u003E=3.1.0,\u003C3.1.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-02-12 15:55:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r97r-64vp-fghm"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/cms\/SS-2015-003-1.yaml"}]},{"advisoryId":"PKSA-tbcz-9q2k-1r4f","packageName":"silverstripe\/cms","remoteId":"silverstripe\/cms\/SS-2015-008-1.yaml","title":"SS-2015-008: SiteTree Creation Permission Vulnerability","link":"https:\/\/www.silverstripe.org\/software\/download\/security-releases\/ss-2015-008-sitetree-creation-permission-vulnerability\/","cve":null,"affectedVersions":"\u003E=3.0.0,\u003C3.0.12|\u003E=3.1.0,\u003C3.1.11","source":"FriendsOfPHP\/security-advisories","reportedAt":"2015-03-19 16:54:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6hh6-59j2-qrxw"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/cms\/SS-2015-008-1.yaml"}]}],"gree\/jose":[{"advisoryId":"PKSA-2q89-6yb3-gktz","packageName":"gree\/jose","remoteId":"gree\/jose\/2016-08-30.yaml","title":"Critical vulnerabilities in JSON Web Token libraries","link":"https:\/\/auth0.com\/blog\/critical-vulnerabilities-in-json-web-token-libraries\/","cve":null,"affectedVersions":"\u003C2.2.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-08-30 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9gxv-x7rp-r2hc"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"gree\/jose\/2016-08-30.yaml"}]}],"cart2quote\/module-quotation":[{"advisoryId":"PKSA-wnmd-jkgg-b2hj","packageName":"cart2quote\/module-quotation","remoteId":"cart2quote\/module-quotation\/2017-02-01.yaml","title":"Remote Code Execution in Qquoteadv\/controllers\/DownloadController.php","link":"https:\/\/cart2quote.zendesk.com\/hc\/en-us\/articles\/115000616303--FIXED-Security-Vulnerability-in-downloadCustomOptionAction","cve":null,"affectedVersions":"\u003E=4.1.6,\u003C4.4.6|\u003E=5.0.0,\u003C5.4.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2017-02-01 00:00:00","composerRepository":null,"severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"cart2quote\/module-quotation\/2017-02-01.yaml"}]}],"phpoffice\/phpspreadsheet":[{"advisoryId":"PKSA-v15t-c7gz-7kpt","packageName":"phpoffice\/phpspreadsheet","remoteId":"phpoffice\/phpspreadsheet\/CVE-2018-19277.yaml","title":"XXE Vulnerability","link":"https:\/\/github.com\/PHPOffice\/PhpSpreadsheet\/issues\/771","cve":"CVE-2018-19277","affectedVersions":"\u003C1.5.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2018-11-20 19:50:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xcrg-29h7-h4cj"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"phpoffice\/phpspreadsheet\/CVE-2018-19277.yaml"}]}],"composer\/composer":[{"advisoryId":"PKSA-qx8p-c3v3-6yfg","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2015-8371.yaml","title":"Composer Cache Injection vulnerability","link":"http:\/\/flyingmana.de\/blog_en\/2016\/02\/14\/composer_cache_injection_vulnerability_cve_2015_8371.html","cve":"CVE-2015-8371","affectedVersions":"\u003C1.0.0-beta1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2016-02-10 14:51:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2015-8371.yaml"},{"name":"GitHub","remoteId":"GHSA-725m-w832-q973"}]}]}}