1702 matches found
Potential SQL injection vector using null byte for PDO (MsSql, SQLite)
More info at https://framework.zend.com/security/advisory/ZF2015-08...
Frontend: Unauthenticated Path Disclosure
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-008/...
SS-2015-011: Potential SQL Injection Vulnerability
More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-011/...
Critical vulnerabilities in JSON Web Token libraries
More info at https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/...
Privilege Escalation in TYPO3 Neos
More info at https://www.neos.io/blog/neos-sa-2015-001.html...
SS-2016-012: Missing ACL on reports
More info at https://www.silverstripe.org/download/security-releases/ss-2016-012/...
SS-2015-007: XSS In FormAction
More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-007/...
SS-2015-003: History XSS Vulnerability
More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-003/...
XSS vulnerability in login redirect param
Security advisory: XSS vulnerability in login redirect param ZfcUser version 1.2.2 has been released and includes a security for this vulnerability. Fix has been applied in @baf0e460 Affected versions All versions below 1.2.2 are affected. dev-master is fixed starting from @2cc167a Exploits Becau...
Possible cache poisining on the homepage when anchors are used
More info at https://typo3.org/security/advisory/typo3-core-sa-2014-003...
SecurityComponent cross form submission issue
More info at https://bakery.cakephp.org/2014/04/29/CakePHP-1-3-18-and-2-4-8-released.html...
Authentication adapter did not verify validity of tokens
Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a release 0.1.2, tokens weren't checked for validity/expiration. This potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials...
Hijacked authentication cookies vulnerability
More info at https://laravel.com/docs/5.3/upgradeupgrade-4.1.26...
Hijacked authentication cookies vulnerability
More info at https://laravel.com/docs/5.1/upgradeupgrade-4.1.26...
Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse
More info at https://framework.zend.com/security/advisory/ZF2014-01...
Security fixes related to the way XML is handled
More info at https://symfony.com/blog/security-release-symfony-2-0-17-released...
Security fixes related to the way XML is handled
More info at https://symfony.com/blog/security-release-symfony-2-0-17-released...
Fixed the user refreshing to check the identity by primary key instead of username
Changelog ========= 4.1.0 2026-02-13 Convert XML config files to other formats to fix the deprecation of XML config files in Symfony Add PHP routing files alongside the XML ones. Loading the XML routing files triggers a deprecation in Symfony 7.4. Fix deprecation in the UserChecker Fix the...
XML decoding attack vector through external entities
More info at https://symfony.com/blog/security-release-symfony-2-0-11-released...
Potential Security Issues in Bundled Dojo Library
More info at https://framework.zend.com/security/advisory/ZF2010-06...
Potential XSS vectors due to inconsistent encodings
More info at https://framework.zend.com/security/advisory/ZF2010-01...
PHP Code Injection
phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...
CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
More info at https://symfony.com/cve-2026-45304...
CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
More info at https://symfony.com/cve-2026-45073...
Remote Code Execution via Chosen-Ciphertext Attack
https://github.com/titon/framework/blob/cbf44729173d3a83b91a2b0a217c6b3827512e44/src/Titon/Crypto/OpenSslCipher.hhL30-L39 You aren't authenticating your ciphertexts, and then you're passing the decrypted result to unserialize. See also:...
PHP Code Injection
phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...
Filter input to avoid XPath injection
Filter input for its use in XPath expressions In order to avoid XPath injection, user input must be filtered before it ends up in the query. Unfortunately, there's no way to do this with a standard method in PHP, so we need our own filtering function. Current best practice recommends using white...
Stored XSS on first/last name during setup
More info at https://www.passbolt.com/incidents/20190807multiplevulnerabilities...
Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010
More info at https://www.drupal.org/sa-core-2019-010...
Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011
More info at https://www.drupal.org/sa-core-2019-011...
Content moderation - Moderately critical - Access bypass
More info at https://www.drupal.org/sa-core-2018-006...
TYPO3-CORE-SA-2026-008: Broken Access Control in Form Framework
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-008...
CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
More info at https://symfony.com/cve-2026-45075...
CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering
More info at https://symfony.com/cve-2026-45072...
`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
More info at https://symfony.com/cve-2026-46634...
XSS in profiler HtmlDumper via unescaped template and profile names
More info at https://symfony.com/cve-2026-47730...
Sandbox property and method bypass via object-destructuring assignment
More info at https://symfony.com/cve-2026-46639...
TYPO3-EXT-SA-2026-011: Path Traversal in extension "Faceted Search" (ke_search)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-011...
TYPO3-EXT-SA-2026-008: Remote Code Execution in extension "Site Crawler" (crawler)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-008...
Command injection via malicious Perforce source reference/url
Impact The Perforce::syncCodeBase method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the...
Missing check that a point is on the prime subgroup for Edwards25519
More info at https://00f.net/2025/12/30/libsodium-vulnerability...
GraphQL grant on a property might be cached with different objects
Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...
TYPO3-EXT-SA-2025-003: Multiple vulnerabilities in extension “[clickstorm] SEO” (cs_seo)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-003...
SS-2023-001 - XSS vulnerability in underlying TinyMCE library
More info at https://www.silverstripe.org/download/security-releases/SS-2023-001...
Read private customer data reclaiming carts
Klaviyo read customer quotes for guest carts April 28th I've found a endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API. Data -...
$this->validate() returns all properties, not just validated ones
IMPORTANT BUGFIX $this-validate usually only returns the validated dataset, however a regression was introduced, that caused it to return ALL data on the Livewire component. 1659...
EZSA-2020-005 Editor XSS and trashed drafts in review queue
More info at https://ezplatform.com/security-advisories/ezsa-2020-005-editor-xss-and-trashed-drafts-in-review-queue...
EZSA-2020-003 XSS in DemoBundle/ezdemo bundled VideoJS
More info at https://ezplatform.com/security-advisories/ezsa-2020-003-xss-in-demobundle-ezdemo-bundled-videojs...
Cross-Site Scripting in Filelist Module
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-023...
Cross-Site Scripting in Form Framework validation handling
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-021...