{"advisories":{"spatie\/laravel-medialibrary":[{"advisoryId":"PKSA-88bj-c5ky-3pr6","packageName":"spatie\/laravel-medialibrary","remoteId":"GHSA-fggg-964j-3j7h","title":"Spatie Laravel Media Library contains a server-side request forgery vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-fggg-964j-3j7h","cve":"CVE-2026-48555","affectedVersions":"\u003C11.23.0","source":"GitHub","reportedAt":"2026-05-29 21:31:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fggg-964j-3j7h"}]},{"advisoryId":"PKSA-mrgr-9pdf-y591","packageName":"spatie\/laravel-medialibrary","remoteId":"GHSA-3ggm-c5m7-hfv5","title":"Spatie Laravel Media Library contains a file upload restriction bypass","link":"https:\/\/github.com\/advisories\/GHSA-3ggm-c5m7-hfv5","cve":"CVE-2026-48557","affectedVersions":"\u003C11.23.0","source":"GitHub","reportedAt":"2026-05-29 21:31:25","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3ggm-c5m7-hfv5"}]}],"kimai\/kimai":[{"advisoryId":"PKSA-c4rt-jt98-gvs8","packageName":"kimai\/kimai","remoteId":"GHSA-j5mc-p8qg-39j7","title":"Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation","link":"https:\/\/github.com\/advisories\/GHSA-j5mc-p8qg-39j7","cve":null,"affectedVersions":"\u003C=2.56.0","source":"GitHub","reportedAt":"2026-07-02 20:44:05","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-j5mc-p8qg-39j7"}]},{"advisoryId":"PKSA-rxqm-xvx5-ktw1","packageName":"kimai\/kimai","remoteId":"GHSA-m492-gv72-xvxj","title":"Kimai Password Reset Link Remains Valid After Password Change","link":"https:\/\/github.com\/advisories\/GHSA-m492-gv72-xvxj","cve":null,"affectedVersions":"\u003C=2.57.0","source":"GitHub","reportedAt":"2026-07-01 19:49:24","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-m492-gv72-xvxj"}]}],"simplesamlphp\/simplesamlphp":[{"advisoryId":"PKSA-569h-6vqh-5xr3","packageName":"simplesamlphp\/simplesamlphp","remoteId":"GHSA-q8r6-xj3f-wrrm","title":"SimpleSAMLphp SP accepts a response from an unexpected IdP when unsigned `Response\/InResponseTo` is combined with a signed assertion lacking `SubjectConfirmationData\/InResponseTo`","link":"https:\/\/github.com\/advisories\/GHSA-q8r6-xj3f-wrrm","cve":"CVE-2026-49284","affectedVersions":"\u003C=2.4.6|\u003E=2.5.0,\u003C=2.5.1","source":"GitHub","reportedAt":"2026-07-02 20:47:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q8r6-xj3f-wrrm"}]}],"simplesamlphp\/saml2":[{"advisoryId":"PKSA-yk3g-3g3t-ts6q","packageName":"simplesamlphp\/saml2","remoteId":"GHSA-6929-8p9f-26jx","title":"SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass","link":"https:\/\/github.com\/advisories\/GHSA-6929-8p9f-26jx","cve":"CVE-2026-49283","affectedVersions":"\u003C4.20.2|\u003E=5.0.0,\u003C5.0.6|\u003E=6.0.0,\u003C6.2.1","source":"GitHub","reportedAt":"2026-07-02 20:25:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6929-8p9f-26jx"}]},{"advisoryId":"PKSA-1fc7-xrz7-vw78","packageName":"simplesamlphp\/saml2","remoteId":"GHSA-5cjr-mxj5-wmrx","title":"SimpleSAMLphp has Possible DoS via XPath Transform","link":"https:\/\/github.com\/advisories\/GHSA-5cjr-mxj5-wmrx","cve":"CVE-2026-49289","affectedVersions":"\u003C=4.20.2","source":"GitHub","reportedAt":"2026-07-02 20:27:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5cjr-mxj5-wmrx"}]}],"simplesamlphp\/saml2-legacy":[{"advisoryId":"PKSA-4y26-97zb-p98g","packageName":"simplesamlphp\/saml2-legacy","remoteId":"GHSA-6929-8p9f-26jx","title":"SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass","link":"https:\/\/github.com\/advisories\/GHSA-6929-8p9f-26jx","cve":"CVE-2026-49283","affectedVersions":"\u003C4.20.2","source":"GitHub","reportedAt":"2026-07-02 20:25:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6929-8p9f-26jx"}]},{"advisoryId":"PKSA-11bv-m3wk-h9sn","packageName":"simplesamlphp\/saml2-legacy","remoteId":"GHSA-5cjr-mxj5-wmrx","title":"SimpleSAMLphp has Possible DoS via XPath Transform","link":"https:\/\/github.com\/advisories\/GHSA-5cjr-mxj5-wmrx","cve":"CVE-2026-49289","affectedVersions":"\u003C=4.20.2","source":"GitHub","reportedAt":"2026-07-02 20:27:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5cjr-mxj5-wmrx"}]}],"craftcms\/cms":[{"advisoryId":"PKSA-zn8p-45f7-kgv1","packageName":"craftcms\/cms","remoteId":"GHSA-x5m4-g2cq-52pq","title":"Craft CMS\u0027s mass assignment via id in newAttributes during bulk duplicate overwrites existing elements","link":"https:\/\/github.com\/advisories\/GHSA-x5m4-g2cq-52pq","cve":"CVE-2026-50281","affectedVersions":"\u003E=5.7.0,\u003C5.9.21","source":"GitHub","reportedAt":"2026-07-02 20:03:36","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-x5m4-g2cq-52pq"}]},{"advisoryId":"PKSA-9z7r-2kcf-76cf","packageName":"craftcms\/cms","remoteId":"GHSA-3w32-23wj-rxg3","title":"Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves","link":"https:\/\/github.com\/advisories\/GHSA-3w32-23wj-rxg3","cve":"CVE-2026-50282","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.14|\u003E=5.0.0-RC1,\u003C5.9.21","source":"GitHub","reportedAt":"2026-07-02 20:03:58","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3w32-23wj-rxg3"}]},{"advisoryId":"PKSA-rg3c-2r2k-sf93","packageName":"craftcms\/cms","remoteId":"GHSA-qq2c-2q8j-jh27","title":"Craft CMS: Authorship spoofing in `entries\/save-entry` via pre-check\/post-mutation authorization gap","link":"https:\/\/github.com\/advisories\/GHSA-qq2c-2q8j-jh27","cve":"CVE-2026-50279","affectedVersions":"\u003E=5.0.0-RC1,\u003C5.9.21","source":"GitHub","reportedAt":"2026-07-02 18:45:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qq2c-2q8j-jh27"}]},{"advisoryId":"PKSA-nhns-q2yx-ct2v","packageName":"craftcms\/cms","remoteId":"GHSA-43cq-c2gq-pfpw","title":"Craft CMS: Authorization bypass in `entries\/move-to-section` via missing target-section save check","link":"https:\/\/github.com\/advisories\/GHSA-43cq-c2gq-pfpw","cve":"CVE-2026-50280","affectedVersions":"\u003E=5.0.0-RC1,\u003C5.9.21","source":"GitHub","reportedAt":"2026-07-02 18:47:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-43cq-c2gq-pfpw"}]},{"advisoryId":"PKSA-68rr-18x7-w4gg","packageName":"craftcms\/cms","remoteId":"GHSA-qh45-9g5p-m2v4","title":"Craft CMS: Unauthorized Deletion of Source Assets During File Replacement","link":"https:\/\/github.com\/advisories\/GHSA-qh45-9g5p-m2v4","cve":"CVE-2026-50283","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.14|\u003E=5.0.0-RC1,\u003C5.9.21","source":"GitHub","reportedAt":"2026-07-02 18:48:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qh45-9g5p-m2v4"}]},{"advisoryId":"PKSA-fd42-dyd4-g3dq","packageName":"craftcms\/cms","remoteId":"GHSA-7h62-6v23-v8fm","title":"Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users\u0027 assets","link":"https:\/\/github.com\/advisories\/GHSA-7h62-6v23-v8fm","cve":"CVE-2026-50284","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.15|\u003E=5.0.0-RC1,\u003C5.9.22","source":"GitHub","reportedAt":"2026-07-02 18:49:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7h62-6v23-v8fm"}]}],"mautic\/core":[{"advisoryId":"PKSA-tmx3-5zmv-624c","packageName":"mautic\/core","remoteId":"GHSA-jmv8-8j9j-rcpc","title":"Mautic Focus component Vulnerable to SSRF","link":"https:\/\/github.com\/advisories\/GHSA-jmv8-8j9j-rcpc","cve":"CVE-2026-9557","affectedVersions":"\u003E=7.0.0,\u003C7.1.2|\u003E=6.0.0,\u003C6.0.9|\u003E=5.0.0,\u003C5.2.11|\u003E=4.0.0,\u003C=4.4.13","source":"GitHub","reportedAt":"2026-07-02 19:47:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jmv8-8j9j-rcpc"}]},{"advisoryId":"PKSA-5wpq-7gbm-cqxv","packageName":"mautic\/core","remoteId":"GHSA-9fx4-7cmj-47vg","title":"Mautic has Server-Side Template Injection (SSTI) in Theme Templates","link":"https:\/\/github.com\/advisories\/GHSA-9fx4-7cmj-47vg","cve":"CVE-2026-9558","affectedVersions":"\u003E=7.0.0,\u003C7.1.2|\u003E=6.0.0,\u003C6.0.9|\u003E=5.0.0,\u003C5.2.11|\u003E=1.3.0,\u003C4.4.13","source":"GitHub","reportedAt":"2026-07-02 19:48:08","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9fx4-7cmj-47vg"}]},{"advisoryId":"PKSA-743g-7dzv-xbzg","packageName":"mautic\/core","remoteId":"GHSA-6r9h-4h75-7q4x","title":"Mautic vulnerable to Path Traversal via Campaign Import","link":"https:\/\/github.com\/advisories\/GHSA-6r9h-4h75-7q4x","cve":"CVE-2026-9559","affectedVersions":"\u003E=7.0.0,\u003C7.1.2","source":"GitHub","reportedAt":"2026-07-02 19:48:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-6r9h-4h75-7q4x"}]},{"advisoryId":"PKSA-199x-g3sb-2vrd","packageName":"mautic\/core","remoteId":"GHSA-2jrw-c95w-h43g","title":"Mautic has an Authorization Bypass in API v2 Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-2jrw-c95w-h43g","cve":"CVE-2026-9808","affectedVersions":"\u003E=7.0.0,\u003C7.1.2","source":"GitHub","reportedAt":"2026-07-02 19:49:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2jrw-c95w-h43g"}]},{"advisoryId":"PKSA-xbvd-zmn4-s43b","packageName":"mautic\/core","remoteId":"GHSA-7h65-whp7-rgqf","title":"Mautic has Stored Cross-Site Scripting (XSS) in Projects Component","link":"https:\/\/github.com\/advisories\/GHSA-7h65-whp7-rgqf","cve":"CVE-2026-9809","affectedVersions":"\u003E=7.0.0,\u003C7.1.2","source":"GitHub","reportedAt":"2026-07-02 19:49:14","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7h65-whp7-rgqf"}]},{"advisoryId":"PKSA-mhxb-h64m-td2q","packageName":"mautic\/core","remoteId":"GHSA-5hvg-w58j-545m","title":"Mautic has Stored Cross-Site Scripting (XSS) in Project Option Selector","link":"https:\/\/github.com\/advisories\/GHSA-5hvg-w58j-545m","cve":"CVE-2026-9811","affectedVersions":"\u003E=7.0.0,\u003C7.1.2","source":"GitHub","reportedAt":"2026-07-02 19:49:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5hvg-w58j-545m"}]},{"advisoryId":"PKSA-pdn1-217f-vc3y","packageName":"mautic\/core","remoteId":"GHSA-fcmw-wx57-9p75","title":"Mautic has SQL Injection in API Contact Filtering","link":"https:\/\/github.com\/advisories\/GHSA-fcmw-wx57-9p75","cve":"CVE-2026-4776","affectedVersions":"\u003E=7.0.0,\u003C7.1.2|\u003E=6.0.0,\u003C6.0.9|\u003E=5.0.0,\u003C5.2.11|\u003E=2.6.0,\u003C=4.4.13","source":"GitHub","reportedAt":"2026-07-02 19:25:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fcmw-wx57-9p75"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-q6mw-b5rg-dy2q","packageName":"froxlor\/froxlor","remoteId":"GHSA-mr9h-45p9-fg8h","title":"Froxlor: Authenticated customers can read other customers\u0027 allowed sender aliases","link":"https:\/\/github.com\/advisories\/GHSA-mr9h-45p9-fg8h","cve":null,"affectedVersions":"\u003C=2.3.6","source":"GitHub","reportedAt":"2026-07-02 19:23:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mr9h-45p9-fg8h"}]},{"advisoryId":"PKSA-54z7-97sf-f9k2","packageName":"froxlor\/froxlor","remoteId":"GHSA-q4rm-m6xh-5pv7","title":"Froxlor customer can create MySQL databases on disallowed servers via Mysqls.add API","link":"https:\/\/github.com\/advisories\/GHSA-q4rm-m6xh-5pv7","cve":null,"affectedVersions":"\u003C=2.3.6","source":"GitHub","reportedAt":"2026-07-02 19:23:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q4rm-m6xh-5pv7"}]}],"mediawiki\/maps":[{"advisoryId":"PKSA-hjtx-83wm-5fvj","packageName":"mediawiki\/maps","remoteId":"GHSA-4h7g-5542-v3fc","title":"mediawiki\/maps has stored XSS through the overlays parameter in the display_map parser function","link":"https:\/\/github.com\/advisories\/GHSA-4h7g-5542-v3fc","cve":"CVE-2026-52854","affectedVersions":"\u003C12.1.3","source":"GitHub","reportedAt":"2026-07-02 17:51:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4h7g-5542-v3fc"}]}],"twig\/twig":[{"advisoryId":"PKSA-8zx5-v2nz-58pb","packageName":"twig\/twig","remoteId":"GHSA-529h-vh3j-85hq","title":"Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`","link":"https:\/\/github.com\/advisories\/GHSA-529h-vh3j-85hq","cve":"CVE-2026-49981","affectedVersions":"\u003C=3.26.0","source":"GitHub","reportedAt":"2026-07-01 18:55:49","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-529h-vh3j-85hq"}]},{"advisoryId":"PKSA-fbvq-z33h-r2np","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48808.yaml","title":"Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`","link":"https:\/\/symfony.com\/blog\/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface","cve":"CVE-2026-48808","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h8vq-8gpg-mhcg"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48808.yaml"}]},{"advisoryId":"PKSA-g9zw-qxh8-pq8w","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48805.yaml","title":"Sandbox state regression in deprecated internal wrappers in `src\/Resources\/core.php`","link":"https:\/\/symfony.com\/blog\/cve-2026-48805-sandbox-state-regression-in-deprecated-internal-wrappers-in-src-resources-core-php","cve":"CVE-2026-48805","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-p42q-9prx-q5wq"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48805.yaml"}]},{"advisoryId":"PKSA-1tmc-rt7x-12w6","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48806.yaml","title":"Sandbox `__toString()` policy bypass via dynamic mapping keys","link":"https:\/\/symfony.com\/blog\/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys","cve":"CVE-2026-48806","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5v5v-ww74-355v"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48806.yaml"}]},{"advisoryId":"PKSA-xx6c-6d96-db2w","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2026-48807.yaml","title":"Sandbox `__toString()` policy bypass via `Traversable` in `join`\/`replace` and `in`\/`not in` operators","link":"https:\/\/symfony.com\/blog\/cve-2026-48807-sandbox-tostring-policy-bypass-via-traversable-in-join-replace-and-in-not-in-operators","cve":"CVE-2026-48807","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.27.0","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-27 15:00:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8x9c-rmqh-456c"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2026-48807.yaml"}]}],"paymenter\/paymenter":[{"advisoryId":"PKSA-rhsq-g9d6-k3wy","packageName":"paymenter\/paymenter","remoteId":"GHSA-pgcq-8grm-5rx9","title":"Paymenter has race condition in payWithCredit() that enables credit double-spend","link":"https:\/\/github.com\/advisories\/GHSA-pgcq-8grm-5rx9","cve":"CVE-2026-55219","affectedVersions":"\u003C=1.5.4","source":"GitHub","reportedAt":"2026-06-30 19:11:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pgcq-8grm-5rx9"}]},{"advisoryId":"PKSA-6pn7-by4p-qj8v","packageName":"paymenter\/paymenter","remoteId":"GHSA-5q4q-834j-g8g4","title":"Paymenter has URL parameter injection that bypasses paid plan limits at checkout","link":"https:\/\/github.com\/advisories\/GHSA-5q4q-834j-g8g4","cve":"CVE-2026-47198","affectedVersions":"\u003C1.5.1","source":"GitHub","reportedAt":"2026-06-30 16:44:31","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5q4q-834j-g8g4"}]}],"dolibarr\/dolibarr":[{"advisoryId":"PKSA-t829-nm92-5bvj","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-hxmh-2xc4-c894","title":"Dolibarr ERP CRM contains a remote code evaluation vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-hxmh-2xc4-c894","cve":"CVE-2018-25357","affectedVersions":"\u003C6.0.8|\u003E=7.0.0,\u003C=7.0.3","source":"GitHub","reportedAt":"2026-05-26 13:30:27","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-hxmh-2xc4-c894"}]}],"concrete5\/concrete5":[{"advisoryId":"PKSA-btjd-g8jc-d7j1","packageName":"concrete5\/concrete5","remoteId":"GHSA-jqvq-gv67-3567","title":"Concrete CMS is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog","link":"https:\/\/github.com\/advisories\/GHSA-jqvq-gv67-3567","cve":"CVE-2026-8347","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-26 13:30:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jqvq-gv67-3567"}]},{"advisoryId":"PKSA-ft53-g53d-bkdk","packageName":"concrete5\/concrete5","remoteId":"GHSA-xjg6-5v39-v7fc","title":"Concrete CMS is vulnerable to CSRF via Backend\\File::approveVersion","link":"https:\/\/github.com\/advisories\/GHSA-xjg6-5v39-v7fc","cve":"CVE-2026-8340","affectedVersions":"\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-26 13:30:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-xjg6-5v39-v7fc"}]},{"advisoryId":"PKSA-7k3m-1wvv-hrns","packageName":"concrete5\/concrete5","remoteId":"GHSA-q9fm-mpg8-8jqm","title":"Concrete CMS is vulnerable to Stored XSS via page name in the Atomik theme","link":"https:\/\/github.com\/advisories\/GHSA-q9fm-mpg8-8jqm","cve":"CVE-2026-8353","affectedVersions":"\u003E=9.0.0RC.1,\u003C9.5.1","source":"GitHub","reportedAt":"2026-05-26 13:30:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-q9fm-mpg8-8jqm"}]}],"statamic\/cms":[{"advisoryId":"PKSA-9stt-y5w8-fn5y","packageName":"statamic\/cms","remoteId":"GHSA-7mqq-4v55-88gh","title":"Statamic CMS\u0027s incorrect authorization lets view-only users submit Live Preview content reserved for editors","link":"https:\/\/github.com\/advisories\/GHSA-7mqq-4v55-88gh","cve":"CVE-2026-54244","affectedVersions":"\u003E=6.0.0,\u003C6.20.3|\u003C5.74.0","source":"GitHub","reportedAt":"2026-06-26 23:10:37","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-7mqq-4v55-88gh"}]},{"advisoryId":"PKSA-9vds-c3yh-rq22","packageName":"statamic\/cms","remoteId":"GHSA-v5c4-wcpj-x73m","title":"Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)","link":"https:\/\/github.com\/advisories\/GHSA-v5c4-wcpj-x73m","cve":"CVE-2026-54242","affectedVersions":"\u003E=6.0.0,\u003C6.20.1|\u003C5.73.24","source":"GitHub","reportedAt":"2026-06-26 23:03:28","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v5c4-wcpj-x73m"}]},{"advisoryId":"PKSA-q7zp-ytbf-kmf9","packageName":"statamic\/cms","remoteId":"GHSA-h77m-qrj7-jxcw","title":"Statamic Vulnerable to CSV formula injection in form submission exports","link":"https:\/\/github.com\/advisories\/GHSA-h77m-qrj7-jxcw","cve":"CVE-2026-54243","affectedVersions":"\u003C5.73.24|\u003E=6.0.0,\u003C6.20.1","source":"GitHub","reportedAt":"2026-06-26 23:03:56","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h77m-qrj7-jxcw"}]},{"advisoryId":"PKSA-ykrx-2shq-vs9n","packageName":"statamic\/cms","remoteId":"GHSA-2497-6pwj-pwg7","title":"Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources","link":"https:\/\/github.com\/advisories\/GHSA-2497-6pwj-pwg7","cve":"CVE-2026-49288","affectedVersions":"\u003E=6.0.0,\u003C6.20.0|\u003C5.73.23","source":"GitHub","reportedAt":"2026-06-26 22:12:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2497-6pwj-pwg7"}]},{"advisoryId":"PKSA-fhw5-pm86-31ff","packageName":"statamic\/cms","remoteId":"GHSA-m92m-r54r-x8r2","title":"Statamic CMS\u0027s unsafe method invocation via collection sorting allows data destruction","link":"https:\/\/github.com\/advisories\/GHSA-m92m-r54r-x8r2","cve":"CVE-2026-49287","affectedVersions":"\u003E=6.0.0,\u003C6.20.0|\u003C5.73.23","source":"GitHub","reportedAt":"2026-06-26 22:15:47","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m92m-r54r-x8r2"}]}],"solidinvoice\/solidinvoice":[{"advisoryId":"PKSA-djbd-8ghh-z678","packageName":"solidinvoice\/solidinvoice","remoteId":"GHSA-7vfx-4246-jcfh","title":"SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings","link":"https:\/\/github.com\/advisories\/GHSA-7vfx-4246-jcfh","cve":null,"affectedVersions":"\u003C=2.3.15","source":"GitHub","reportedAt":"2026-06-26 22:20:50","composerRepository":null,"severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7vfx-4246-jcfh"}]}],"pontedilana\/php-weasyprint":[{"advisoryId":"PKSA-xz12-xgjc-r2wn","packageName":"pontedilana\/php-weasyprint","remoteId":"GHSA-2fmj-p74r-3wjm","title":"PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)","link":"https:\/\/github.com\/advisories\/GHSA-2fmj-p74r-3wjm","cve":"CVE-2026-49286","affectedVersions":"\u003C=2.5.1","source":"GitHub","reportedAt":"2026-06-26 22:10:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2fmj-p74r-3wjm"}]},{"advisoryId":"PKSA-69w1-spwq-4gvw","packageName":"pontedilana\/php-weasyprint","remoteId":"GHSA-5g9f-cwwg-4p8g","title":"PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles","link":"https:\/\/github.com\/advisories\/GHSA-5g9f-cwwg-4p8g","cve":"CVE-2026-49358","affectedVersions":"\u003C=2.5.1","source":"GitHub","reportedAt":"2026-06-26 22:10:51","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-5g9f-cwwg-4p8g"}]},{"advisoryId":"PKSA-q4hm-4pvf-f13w","packageName":"pontedilana\/php-weasyprint","remoteId":"GHSA-x8g9-h984-pc36","title":"PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option","link":"https:\/\/github.com\/advisories\/GHSA-x8g9-h984-pc36","cve":"CVE-2026-49359","affectedVersions":"\u003C=2.5.1","source":"GitHub","reportedAt":"2026-06-26 22:11:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x8g9-h984-pc36"}]},{"advisoryId":"PKSA-p9k4-v53c-c7zd","packageName":"pontedilana\/php-weasyprint","remoteId":"GHSA-f5gc-qxf8-mh9g","title":"php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs\/snappy GHSA-vpr4-p6fq-85jc)","link":"https:\/\/github.com\/advisories\/GHSA-f5gc-qxf8-mh9g","cve":"CVE-2026-49260","affectedVersions":"\u003C=2.5.0","source":"GitHub","reportedAt":"2026-06-26 21:46:27","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f5gc-qxf8-mh9g"}]}],"aimeos\/pagible":[{"advisoryId":"PKSA-85r2-kyxr-cpv8","packageName":"aimeos\/pagible","remoteId":"GHSA-mmj8-wcvw-6789","title":"Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy","link":"https:\/\/github.com\/advisories\/GHSA-mmj8-wcvw-6789","cve":"CVE-2026-49262","affectedVersions":"\u003C0.10.4","source":"GitHub","reportedAt":"2026-06-26 21:50:10","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-mmj8-wcvw-6789"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-bgmm-r5q1-dvfj","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-985r-q3qp-299h","title":"phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 \u2014 editUser() and updateUserRights() lack authorization guards","link":"https:\/\/github.com\/advisories\/GHSA-985r-q3qp-299h","cve":null,"affectedVersions":"\u003C=4.1.3","source":"GitHub","reportedAt":"2026-06-26 21:23:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-985r-q3qp-299h"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-nnfw-464q-679b","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-985r-q3qp-299h","title":"phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 \u2014 editUser() and updateUserRights() lack authorization guards","link":"https:\/\/github.com\/advisories\/GHSA-985r-q3qp-299h","cve":null,"affectedVersions":"\u003C=4.1.3","source":"GitHub","reportedAt":"2026-06-26 21:23:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-985r-q3qp-299h"}]}],"cakephp\/cakephp":[{"advisoryId":"PKSA-wx2k-k564-z67n","packageName":"cakephp\/cakephp","remoteId":"GHSA-wpvj-hjcr-h3p2","title":"CakePHP: View::element() is missing a path containment check","link":"https:\/\/github.com\/advisories\/GHSA-wpvj-hjcr-h3p2","cve":"CVE-2026-48820","affectedVersions":"\u003C4.5.11|\u003E=4.6.0,\u003C4.6.4|\u003E=5.0.0,\u003C5.1.7|\u003E=5.2.0,\u003C5.2.13|\u003E=5.3.0,\u003C5.3.6","source":"GitHub","reportedAt":"2026-06-26 21:00:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wpvj-hjcr-h3p2"}]}],"web-auth\/webauthn-symfony-bundle":[{"advisoryId":"PKSA-by78-v7zw-v73g","packageName":"web-auth\/webauthn-symfony-bundle","remoteId":"GHSA-q683-8468-r6h6","title":"WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs","link":"https:\/\/github.com\/advisories\/GHSA-q683-8468-r6h6","cve":null,"affectedVersions":"\u003C5.3.4","source":"GitHub","reportedAt":"2026-06-26 21:00:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q683-8468-r6h6"}]}],"pterodactyl\/panel":[{"advisoryId":"PKSA-mzmz-41cv-9dtv","packageName":"pterodactyl\/panel","remoteId":"GHSA-j7f5-gfqm-pcx3","title":"Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system","link":"https:\/\/github.com\/advisories\/GHSA-j7f5-gfqm-pcx3","cve":null,"affectedVersions":"\u003C1.12.3","source":"GitHub","reportedAt":"2026-06-26 20:54:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j7f5-gfqm-pcx3"}]}],"php-standard-library\/h2":[{"advisoryId":"PKSA-wz5t-5b2y-qjqk","packageName":"php-standard-library\/h2","remoteId":"GHSA-pw9p-jvrm-f7rm","title":"PHP Standard Library: HTTP\/2 server-side missing content-length validation enables request smuggling","link":"https:\/\/github.com\/advisories\/GHSA-pw9p-jvrm-f7rm","cve":"CVE-2026-48979","affectedVersions":"\u003E=6.2.0,\u003C6.2.1|\u003E=6.1.0,\u003C6.1.2","source":"GitHub","reportedAt":"2026-06-26 20:55:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pw9p-jvrm-f7rm"}]}],"php-standard-library\/php-standard-library":[{"advisoryId":"PKSA-9rcn-mnby-44gp","packageName":"php-standard-library\/php-standard-library","remoteId":"GHSA-pw9p-jvrm-f7rm","title":"PHP Standard Library: HTTP\/2 server-side missing content-length validation enables request smuggling","link":"https:\/\/github.com\/advisories\/GHSA-pw9p-jvrm-f7rm","cve":"CVE-2026-48979","affectedVersions":"\u003E=6.2.0,\u003C6.2.1|\u003E=6.1.0,\u003C6.1.2","source":"GitHub","reportedAt":"2026-06-26 20:55:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pw9p-jvrm-f7rm"}]}],"tinymce\/tinymce":[{"advisoryId":"PKSA-k4d6-bt7k-7ddp","packageName":"tinymce\/tinymce","remoteId":"GHSA-vg35-5wq7-3x7w","title":"TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection","link":"https:\/\/github.com\/advisories\/GHSA-vg35-5wq7-3x7w","cve":"CVE-2026-47761","affectedVersions":"\u003E0,\u003C=5.10.9|\u003E=8.0.0,\u003C8.5.1|\u003E=6.0.0,\u003C7.9.3","source":"GitHub","reportedAt":"2026-06-05 20:29:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vg35-5wq7-3x7w"}]}],"easycorp\/easyadmin-bundle":[{"advisoryId":"PKSA-z6tn-c4hk-yb9y","packageName":"easycorp\/easyadmin-bundle","remoteId":"easycorp\/easyadmin-bundle\/GHSA-2wwr-9x6f-88gp.yaml","title":"Path traversal and reflected XSS in Flag and Icon Twig components","link":"https:\/\/github.com\/EasyCorp\/EasyAdminBundle\/security\/advisories\/GHSA-2wwr-9x6f-88gp","cve":null,"affectedVersions":"\u003E=4.0.0,\u003C4.29.10|\u003E=5.0.0,\u003C5.0.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-28 18:30:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"easycorp\/easyadmin-bundle\/GHSA-2wwr-9x6f-88gp.yaml"},{"name":"GitHub","remoteId":"GHSA-2wwr-9x6f-88gp"}]}],"spatie\/schema-org":[{"advisoryId":"PKSA-6mmh-w4kg-c2xp","packageName":"spatie\/schema-org","remoteId":"spatie\/schema-org\/2026-04-20.yaml","title":"Cross-site scripting (XSS) via script break-out in toScript() output","link":"https:\/\/github.com\/spatie\/schema-org\/releases\/tag\/4.0.2","cve":null,"affectedVersions":"\u003E=3.23.1,\u003C3.23.2|\u003E=4.0.0,\u003C4.0.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-20 00:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hwmc-r6mf-jh83"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"spatie\/schema-org\/2026-04-20.yaml"}]}],"evoweb\/sf-register":[{"advisoryId":"PKSA-1gw5-qx8s-xyvr","packageName":"evoweb\/sf-register","remoteId":"evoweb\/sf-register\/CVE-2026-46721.yaml","title":"TYPO3-EXT-SA-2026-009: Broken Access Control in extension \u0022Frontend User Registration\u0022 (sf_register)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-009","cve":"CVE-2026-46721","affectedVersions":"\u003E=14.0.0,\u003C14.0.2|\u003C13.2.4","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 16:40:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"evoweb\/sf-register\/CVE-2026-46721.yaml"},{"name":"GitHub","remoteId":"GHSA-v348-vr4q-fv9p"}]}],"tpwd\/ke_search":[{"advisoryId":"PKSA-cy57-p12b-t759","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml","title":"TYPO3-EXT-SA-2026-011: XML External Entity Injection in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46722","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003E=5.0.0,\u003C5.6.2|\u003C4.6.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fq39-62gx-8hqx"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46722.yaml"}]},{"advisoryId":"PKSA-ybqg-nm5d-my8d","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml","title":"TYPO3-EXT-SA-2026-011: Path Traversal in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46724","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003E=5.0.0,\u003C5.6.2|\u003C4.6.7","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c72x-mc2p-wv7x"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46724.yaml"}]},{"advisoryId":"PKSA-pb46-78nq-81hw","packageName":"tpwd\/ke_search","remoteId":"tpwd\/ke_search\/CVE-2026-46723.yaml","title":"TYPO3-EXT-SA-2026-011: Path Traversal in extension \u0022Faceted Search\u0022 (ke_search)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-011","cve":"CVE-2026-46723","affectedVersions":"\u003E=7.0.0,\u003C7.0.1|\u003E=6.0.0,\u003C6.6.1|\u003C5.6.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 14:30:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-67j3-jmm3-32xc"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"tpwd\/ke_search\/CVE-2026-46723.yaml"}]}],"mmc\/ceselector":[{"advisoryId":"PKSA-kfm7-j6tb-2qn9","packageName":"mmc\/ceselector","remoteId":"mmc\/ceselector\/CVE-2026-46725.yaml","title":"TYPO3-EXT-SA-2026-013: Remote Code Execution in extension \u0022Content Element Selector\u0022 (ceselector)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-013","cve":"CVE-2026-46725","affectedVersions":"\u003E=6.0.0,\u003C6.0.1|\u003E=5.0.0,\u003C5.0.1|\u003E=4.0.0,\u003C4.0.2|\u003C3.0.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-07 10:50:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-8x3j-439w-537c"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"mmc\/ceselector\/CVE-2026-46725.yaml"}]}],"friendsoftypo3\/tt-address":[{"advisoryId":"PKSA-s9h4-6qfr-k554","packageName":"friendsoftypo3\/tt-address","remoteId":"friendsoftypo3\/tt-address\/CVE-2026-8827.yaml","title":"TYPO3-EXT-SA-2026-012: SQL Injection in extension \u0022Address List\u0022 (tt_address)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-012","cve":"CVE-2026-8827","affectedVersions":"\u003E=10.0.0,\u003C10.0.1|\u003E=9.0.0,\u003C9.1.1|\u003C8.1.2","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-18 15:13:22","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"friendsoftypo3\/tt-address\/CVE-2026-8827.yaml"},{"name":"GitHub","remoteId":"GHSA-3h52-6v6j-6wwv"}]}],"tomasnorre\/crawler":[{"advisoryId":"PKSA-bt63-cwpy-49h9","packageName":"tomasnorre\/crawler","remoteId":"tomasnorre\/crawler\/CVE-2026-8727.yaml","title":"TYPO3-EXT-SA-2026-008: Remote Code Execution in extension \u0022Site Crawler\u0022 (crawler)","link":"https:\/\/typo3.org\/security\/advisory\/typo3-ext-sa-2026-008","cve":"CVE-2026-8727","affectedVersions":"\u003E=12.0.0,\u003C12.0.11|\u003C11.0.13","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-11 19:18:44","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jr8m-x4p7-p3v5"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"tomasnorre\/crawler\/CVE-2026-8727.yaml"}]}],"symfony\/symfony":[{"advisoryId":"PKSA-xxm6-3p32-rqz7","packageName":"symfony\/symfony","remoteId":"symfony\/symfony\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6439-2f28-8p8q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/symfony\/CVE-2026-45075.yaml"}]}],"symfony\/security-http":[{"advisoryId":"PKSA-4tmc-tz3m-9xpb","packageName":"symfony\/security-http","remoteId":"symfony\/security-http\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6439-2f28-8p8q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/security-http\/CVE-2026-45075.yaml"}]}],"symfony\/http-kernel":[{"advisoryId":"PKSA-dw7n-x7f5-zf63","packageName":"symfony\/http-kernel","remoteId":"symfony\/http-kernel\/CVE-2026-45075.yaml","title":"CVE-2026-45075: HEAD Request Bypasses methods: [\u0027GET\u0027] Filter in #[IsGranted] \/ #[IsSignatureValid] \/ #[IsCsrfTokenValid]","link":"https:\/\/symfony.com\/cve-2026-45075","cve":"CVE-2026-45075","affectedVersions":"\u003E=7.4.0,\u003C7.4.12|\u003E=8.0.0,\u003C8.0.12","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-20 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6439-2f28-8p8q"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"symfony\/http-kernel\/CVE-2026-45075.yaml"}]}]}}