CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes

PKSA-c28x-6bj5-8spx CVE-2026-48489

Affected version: >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.53|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13

Reported by:
FriendsOfPHP/security-advisories

[HIGH] CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator

PKSA-tbsf-h7vc-j7hn CVE-2026-45063 GHSA-ph86-p8f6-f9r2

Affected version: >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12

Reported by:
GitHub, FriendsOfPHP/security-advisories

[HIGH] CVE-2020-5275: All rules set in "access_control" are required when the firewall is configured with the unanimous strategy

PKSA-srh1-bn3t-m6gg CVE-2020-5275 GHSA-g4m9-5hpf-hx72

Affected version: >=4.4.0,<4.4.7|>=5.0.0,<5.0.7

Reported by:
GitHub, FriendsOfPHP/security-advisories