Friendsofphp - Page 24 of Friendsofphp Most Viewed Vulnerabilities List

Description In symfony/ux-live-component, a component's server-side state is exposed to the browser as a set of props LiveProp-annotated properties. Props marked writable: true can be freely changed by the client. Read-only props are round-tripped to the browser and back, and their integrity is...

5.8AI score

Exploits0Affected Software1

Friends Of PHP•added 2026/05/29 8:0 a.m.•12 views

symfony/ux-live-component Denial of service via unbounded batch action requests

Description Symfony\UX\LiveComponent\Controller\BatchActionController::invoke iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry event subscribers, validators, Doctrine, rendering. The array size is never bounded, so an authenticated client can...

5.8AI score

Exploits0Affected Software1

Friends Of PHP•added 2026/05/26 8:0 a.m.•12 views

CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence

More info at https://symfony.com/cve-2026-46644...

5.8AI score0.00137EPSS

Exploits0Affected Software1

Friends Of PHP•added 2025/05/19 12:5 p.m.•12 views

symfony/ux-twig-component Unsanitized HTML attribute injection via ComponentAttributes

More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...

6.1CVSS7AI score0.00202EPSS

Exploits0Affected Software1

Friends Of PHP•added 2025/05/19 12:5 p.m.•12 views

symfony/ux-live-component Unsanitized HTML attribute injection via ComponentAttributes

More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...

6.1CVSS7AI score0.00202EPSS

Exploits0Affected Software1

Friends Of PHP•added 2025/04/10 2:37 a.m.•12 views

CVE-2025-30148 - XSS vulnerability in HTML editor

More info at https://www.silverstripe.org/download/security-releases/cve-2025-30148...

5.4CVSS6.7AI score0.00236EPSS

Exploits0Affected Software1

Friends Of PHP•added 2020/05/20 4:45 p.m.•12 views

EZSA-2020-004 Object Injection in SiteAccessMatchListener

More info at https://ezplatform.com/security-advisories/ezsa-2020-004-object-injection-in-siteaccessmatchlistener...

7.2AI score

Exploits0Affected Software1

Friends Of PHP•added 2020/04/21 12:12 p.m.•12 views

EZSA-2020-003 XSS in DemoBundle/ezdemo bundled VideoJS

More info at https://ezplatform.com/security-advisories/ezsa-2020-003-xss-in-demobundle-ezdemo-bundled-videojs...

7.2AI score

Exploits0Affected Software1

Friends Of PHP•added 2020/01/01 4:15 p.m.•12 views

Disclosure of files via logo_path query parameter

Require version that checks mime type...

3.9AI score

Exploits0Affected Software1

Friends Of PHP•added 2019/12/17 9:50 a.m.•12 views

Cross-Site Scripting in Filelist Module

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-023...

7.2AI score

Exploits0Affected Software1

Friends Of PHP•added 2019/12/17 9:50 a.m.•12 views

Cross-Site Scripting in Filelist Module

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-023...

7.2AI score

Exploits0Affected Software1

Friends Of PHP•added 2019/10/08 12:0 a.m.•12 views

PRODSECBUG-2223: Remote code execution when using functionality that imports a new product