CVE-2026-32271

CVE-2026-32271 affects Craft Commerce (Craft CMS) in versions 4.0.0–4.10.2 and 5.0.0–5.5.4, where an SQL injection in the Commerce TotalRevenue widget allows any authenticated control panel user to achieve remote code execution. The exploit involves unsanitized widget settings interpolated into S...

Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect

Summary The saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. ---...

Craft CMS 代码问题漏洞

Craft CMS is an open-source content management system developed by Craft CMS. There are code vulnerabilities in versions 4.0.0-RC1 to 4.16.17, and from 5.0.0-RC1 to 5.8.21 of Craft CMS. These vulnerabilities stem from the fact that Guzzle automatically follows HTTP redirections, which may allow...

📄 Adobe Commerce Insecure Deserialization

This flaw in Magento 2 / Adobe Commerce 2.4.x enables remote attackers to manipulate internal session handling paths and abuse PHP object chains Guzzle FileCookieJar gadget to achieve arbitrary file write, leading to remote code execution...

DRUPAL-CONTRIB-2025-126

Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action ECA...

HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126

Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action ECA...

EUVD-2025-0003

Malicious code in bioql PyPI...

EUVD-2022-6168

Malicious code in bioql PyPI...

EUVD-2022-6032

Malicious code in bioql PyPI...

EUVD-2023-3109

Malicious code in bioql PyPI...

EUVD-2022-5884

Malicious code in bioql PyPI...

EUVD-2022-3650

Malicious code in bioql PyPI...

EUVD-2022-6123

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2022-31091

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Guzzle, an extensible PHP HTTP client. Authorization and Cookie headers on requests are sensitive information. In affected versions on making a request which...

Linux Distros Unpatched Vulnerability : CVE-2022-29248

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not...

ROS-20250812-01

A vulnerability in the Guzzle HTTP client library of the PHP programming language interpreter is related to an incorrectly implemented security checks for standard elements. Exploitation of the vulnerability could allow an attacker acting remotely to disclose protected information Vulnerability i...

Linux Distros Unpatched Vulnerability : CVE-2022-31042

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Guzzle is an open source PHP HTTP client. In affected versions the Cookie headers on requests are sensitive information. On making a request using the https...

Linux Distros Unpatched Vulnerability : CVE-2022-31043

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Guzzle is an open source PHP HTTP client. In affected versions Authorization headers on requests are sensitive information. On making a request using the https...

Linux Distros Unpatched Vulnerability : CVE-2022-31090

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Guzzle, an extensible PHP HTTP client. Authorization headers on requests are sensitive information. In affected versions when using our Curl handler, it is...

CVE-2025-21617

Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1...