CVE-2026-39850 Yii 2: Local file inclusion via view parameter name collision

Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...

EUVD-2026-31190

Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...

CVE-2026-39850 Yii 2: Local file inclusion via view parameter name collision

Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...

CVE-2026-39850

Summary: Yii 2.x before 2.0.55 contains a Local File Inclusion flaw in View::renderPhpFile() caused by caller-controlled file parameter, which can overwrite the internal file selection and potentially enable RCE and information disclosure. Affected versions: 2.0.54 and earlier. Root cause: extrac...

CVE-2026-39850

Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...

CVE-2026-39352

Frappe is affected by an Arbitrary File Read via Path Traversal in render_include. Versions prior to 15.105.0 and 16.15.0 are vulnerable; the issue is resolved in 16.15.0, 15.105.0 and later. Affected software: Frappe framework (full-stack web app). Root cause: path traversal in render_include en...

EUVD-2026-31178

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above...

CVE-2026-39352

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above...

CVE-2026-39352 Frappe has an Arbitrary File Read via Path Traversal in render_include

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above...

google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

cve-honeypot

🪤 CVE Honeypot Farm Emulates vulnerable services based on rea...

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the Parser::cleanup function. Symfony\Component\Yaml\Parser::cleanup strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The origina...

Cross-site Scripting (XSS)

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the CodeExtension::fileExcerpt function in WebProfiler. An attacker can execute arbitrary JavaScript code in the...

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Overview Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs 'XML Entity Expansion' via Recursive Collection-Alias Expansion "Billion Laughs". Symfony\Component\Yaml\Parser resolves YAML aliases anchor during parsing. Aliases that...

EUVD-2026-30266

Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service...

kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel

A flaw was found in the Linux kernel's XFRM ESP-in-TCP subsystem. Unsafe in-place cryptographic processing allows a low-privileged local attacker to write arbitrary bytes into the page cache of read-only files, including sensitive system files. An attacker can exploit this to overwrite privileged...

kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel

A flaw was found in the Linux kernel's XFRM ESP-in-TCP subsystem. Unsafe in-place cryptographic processing allows a low-privileged local attacker to write arbitrary bytes into the page cache of read-only files, including sensitive system files. An attacker can exploit this to overwrite privileged...

Luban-2040-v2

🛡️ Luban 2040 v2 Advanced Reconnaissance & Vulnerability...

CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]

More info at https://symfony.com/cve-2026-45075...

Astra Linux - уязвимость в qt4-x11, qtbase-opensource-src

A issue was discovered in Qt before version 5.15.15, in versions 6.x before 6.2.10, and in versions 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion...