CVE-2026-42874

Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.setcookie method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection...

CVE-2026-42304

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service DoS attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending...

CVE-2026-42550

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...

CVE-2026-42552

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::error writes the full exception message, exception code, and stack trace including absolute filesystem paths directly into the HTTP 500 response, with no debug gating. Production deployments leak...

CVE-2026-42551

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod unconditionally honors the X-HTTP-Method-Override header and the $REQUEST'method' parameter on any HTTP verb including safe verbs such as GET, with no opt-in and no whitelist of permitted target methods. A GET...

CVE-2026-42549

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir..., recursive: true on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name...

CVE-2026-42548

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that...

CVE-2026-42552

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::error writes the full exception message, exception code, and stack trace including absolute filesystem paths directly into the HTTP 500 response, with no debug gating. Production deployments leak...

CVE-2026-42552 Flight: Sensitive information disclosure via default error handler in flightphp/core

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::error writes the full exception message, exception code, and stack trace including absolute filesystem paths directly into the HTTP 500 response, with no debug gating. Production deployments leak...

CVE-2026-42551

FlightPHP core contains a vulnerability in Request::getMethod() prior to 3.18.1 where X-HTTP-Method-Override and _method are applied to any HTTP verb without opt-in, allowing a GET to become DELETE/PUT. This enables CSRF escalation against destructive endpoints, bypass of middleware gated on unsa...

CVE-2026-42551 Flight: HTTP method override enabled by default enables CSRF escalation and middleware bypass in flightphp/core

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod unconditionally honors the X-HTTP-Method-Override header and the $REQUEST'method' parameter on any HTTP verb including safe verbs such as GET, with no opt-in and no whitelist of permitted target methods. A GET...

CVE-2026-42551

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod unconditionally honors the X-HTTP-Method-Override header and the $REQUEST'method' parameter on any HTTP verb including safe verbs such as GET, with no opt-in and no whitelist of permitted target methods. A GET...

CVE-2026-42550

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...

CVE-2026-42550 Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...

CVE-2026-42550

Flight (PHP) vulnerability CVE-2026-42550 affects SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() prior to version 3.18.1. These helpers concatenate the table name and data keys directly into SQL without identifier quoting or validation, enabling SQL injection when attacker-cont...

CVE-2026-42550 Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...

CVE-2026-42549

CVE-2026-42549 affects Flight PHP core prior to 3.18.1. The make:controller CLI calls mkdir(..., recursive: true) on a user-supplied controller path before Nette class-name validation, allowing creation of directories outside the project root via ../ traversal. The directory creation side effect ...

CVE-2026-42549 Flight: Path traversal in `make:controller` CLI creates arbitrary directories outside project root

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir..., recursive: true on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name...

CVE-2026-42549 Flight: Path traversal in `make:controller` CLI creates arbitrary directories outside project root

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir..., recursive: true on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name...

CVE-2026-42548

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that...