Security Advisories - flightphp/core - Packagist.org

flightphp/core Security Advisories for v1.3.5 (5)

[HIGH] Flight vulnerable to sensitive information disclosure via default error handler

PKSA-c4m3-5zjm-wjht CVE-2026-42552 GHSA-qrch-52m5-vv85

Affected version: <3.18.1

Reported by:
GitHub
[HIGH] Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass

PKSA-w12s-8pdm-4hrq CVE-2026-42551 GHSA-vxrr-w42w-w76g

Affected version: <3.18.1

Reported by:
GitHub
[HIGH] Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

PKSA-jtc2-k2n3-ck2b CVE-2026-42550 GHSA-xwqr-rcqg-22mr

Affected version: <3.18.1

Reported by:
GitHub
[MEDIUM] Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root

PKSA-1wr3-jdqm-7ppr CVE-2026-42549 GHSA-3xjv-pmf2-gf2q

Affected version: <3.18.1

Reported by:
GitHub
[HIGH] Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp()

PKSA-wvkx-qqd9-sqb6 CVE-2026-42548 GHSA-fcx8-ph5r-mxr4

Affected version: <3.18.1

Reported by:
GitHub