Friendsofphp - Page 32 of Friendsofphp Most Viewed Vulnerabilities List

Friends Of PHP•added 2026/05/18 2:30 p.m.•7 views

TYPO3-EXT-SA-2026-011: Path Traversal in extension "Faceted Search" (ke_search)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-011...

5.9CVSS5.8AI score0.00318EPSS

Friends Of PHP•added 2026/04/17 12:52 p.m.•7 views

Argument injection via newline in PHP INI values forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

7.8CVSS6.6AI score0.00343EPSS

Friends Of PHP•added 2026/01/27 5:21 a.m.•7 views

Unsafe Deserialization in PHPT Code Coverage Handling

Overview A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious...

7.8CVSS6.7AI score0.00343EPSS

Friends Of PHP•added 2020/12/01 1:36 p.m.•7 views

IBEXA-SA-2020-007 Failing access control in system info view

More info at https://developers.ibexa.co/security-advisories/ibexa-sa-2020-007-failing-access-control-in-system-info-view...

Friends Of PHP•added 2020/03/03 10:14 p.m.•7 views

Fixes redirect uri validation in oauth

More info at https://github.com/FriendsOfSymfony/oauth2-php/releases/tag/1.3.0...

Friends Of PHP•added 2020/02/20 3:55 p.m.•7 views

EZSA-2020-001 Remote code execution in file uploads

More info at https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads...

Friends Of PHP•added 2019/05/23 12:0 a.m.•7 views

EZSA-2019-003 XSS in eZFind spellcheck

More info at https://share.ez.no/community-project/security-advisories/ezsa-2019-003-xss-in-ezfind-spellcheck...

Friends Of PHP•added 2019/02/12 12:0 p.m.•7 views

E-mail HTML injection

More info at https://www.passbolt.com/incidents/20190211multiplevulnerabilities...

Friends Of PHP•added 2018/12/11 9:55 a.m.•7 views

Security Misconfiguration in Install Tool Cookie

More info at https://typo3.org/security/advisory/typo3-core-sa-2018-009...

Friends Of PHP•added 2018/12/11 9:55 a.m.•7 views

Cross-Site Scripting in Backend Modal Component

More info at https://typo3.org/security/advisory/typo3-core-sa-2018-007...

Friends Of PHP•added 2018/11/20 3:30 p.m.•7 views

EZSA-2018-007 User data disclosure

More info at http://share.ez.no/community-project/security-advisories/ezsa-2018-007-user-data-disclosure...

Friends Of PHP•added 2018/10/19 2:12 p.m.•7 views

EZSA-2018-008 REST API returns list of all SiteAccesses

More info at http://share.ez.no/community-project/security-advisories/ezsa-2018-008-rest-api-returns-list-of-all-siteaccesses...

Friends Of PHP•added 2018/07/16 5:29 p.m.•7 views

SS-2018-017: Possible PHP Object Injection via Multi-Value Field Extension

More info at https://www.silverstripe.org/download/security-releases/ss-2018-017/...

Friends Of PHP•added 2018/06/11 3:28 p.m.•7 views

URL Rewrite vulnerability

More info at https://framework.zend.com/security/advisory/ZF2018-01...

Friends Of PHP•added 2017/08/21 1:16 p.m.•7 views

EZSA-2017-006 Information disclosure in backend content tree menu

More info at http://share.ez.no/community-project/security-advisories/ezsa-2017-006-information-disclosure-in-backend-content-tree-menu...

Friends Of PHP•added 2017/05/30 9:58 p.m.•7 views

SS-2017-003: XSS in RedirectorPage

More info at https://www.silverstripe.org/download/security-releases/ss-2017-003/...

Friends Of PHP•added 2017/02/07 12:0 a.m.•7 views

SUPEE-9652 - Remote Code Execution using mail vulnerability

More info at https://magento.com/security/patches/supee-9652...

Friends Of PHP•added 2016/12/19 3:29 p.m.•7 views

Potential remote code execution in zend-mail via Sendmail adapter

More info at https://framework.zend.com/security/advisory/ZF2016-04...

Friends Of PHP•added 2016/11/18 12:17 p.m.•7 views

SS-2016-010: ReadOnly transformation for formfields exploitable

More info at https://www.silverstripe.org/download/security-releases/ss-2016-010/...

Friends Of PHP•added 2016/07/19 1:3 p.m.•7 views

Cross-Site Scripting in TYPO3 Backend

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-014/...

Friends Of PHP•added 2016/05/24 9:55 a.m.•7 views

Missing Access Check in TYPO3 CMS

More info at https://typo3.org/teamssecuritysecurity-bulletins/security-bulletins-single-view/article/missing-access-check-in-typo3-cms/...

Friends Of PHP•added 2016/05/11 11:9 a.m.•7 views

SS-2016-006: Missing CSRF protection in login form

More info at https://www.silverstripe.org/download/security-releases/ss-2016-006/...

Friends Of PHP•added 2016/02/18 11:5 a.m.•7 views

SS-2016-003: Hostname, IP and Protocol Spoofing through HTTP Headers

More info at https://www.silverstripe.org/download/security-releases/ss-2016-003/...

Friends Of PHP•added 2015/11/23 9:3 p.m.•7 views

XSS vulnerabilities in Neos

More info at https://www.neos.io/blog/neos-sa-2015-002.html...

Friends Of PHP•added 2015/11/11 2:31 p.m.•7 views

SS-2015-026: Form field validation message XSS vulnerability

More info at https://www.silverstripe.org/download/security-releases/ss-2015-026/...

Friends Of PHP•added 2015/03/20 7:29 p.m.•7 views

SS-2016-011: ChangePasswordForm does not check Member::canLogIn()

More info at https://www.silverstripe.org/download/security-releases/ss-2016-011/...

Friends Of PHP•added 2015/03/20 7:29 p.m.•7 views

SS-2016-013: Member.Name is not escaped

More info at https://www.silverstripe.org/download/security-releases/ss-2016-013/...

Friends Of PHP•added 2015/03/20 3:7 p.m.•7 views

SS-2015-010: XSS in Director::force_redirect()

More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-010-xss-in-directorforce-redirect/...

Friends Of PHP•added 2015/02/12 3:55 p.m.•7 views

SS-2015-006: XSS In GridField print

More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-006/...

Friends Of PHP•added 2014/08/12 11:50 a.m.•7 views

SS-2014-017: XML Quadratic Blowup Attack

More info at https://www.silverstripe.org/software/download/security-releases/ss-2014-017-xml-quadratic-blowup-attack/...

Friends Of PHP•added 2013/10/31 10:35 a.m.•7 views

Potential Remote Address Spoofing Vector in Zend\Http\PhpEnvironment\RemoteAddress

More info at https://framework.zend.com/security/advisory/ZF2013-04...

Friends Of PHP•added 2012/07/10 5:28 p.m.•7 views

Fixes a security issue where the session could be hijacked

Changelog ========= 4.1.0 2026-02-13 Convert XML config files to other formats to fix the deprecation of XML config files in Symfony Add PHP routing files alongside the XML ones. Loading the XML routing files triggers a deprecation in Symfony 7.4. Fix deprecation in the UserChecker Fix the...

Friends Of PHP•added 2010/01/08 5:31 p.m.•7 views

Potential XSS vector in Zend_Dojo_View_Helper_Editor

More info at https://framework.zend.com/security/advisory/ZF2010-02...

Reflected Cross-Site-Scripting

More info at https://simplesamlphp.org/security/201907-01...

Laravel CRLF injection in default email rule

Summary A CRLF injection vulnerability in Laravel's email validation, in combination with how Symfony Mailer and Symfony Mime handle certain character sequences, may allow an unauthenticated attacker to interfere with outbound email processing in applications that send mail to user-supplied...

5.2AI score0.00048EPSS

CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex

More info at https://symfony.com/cve-2026-45305...

5.8AI score0.00076EPSS

CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex

More info at https://symfony.com/cve-2026-45305...

5.8AI score0.00076EPSS

CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing

More info at https://symfony.com/cve-2026-45064...

5.8AI score0.00069EPSS

Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

More info at https://symfony.com/blog/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface...

Sandbox `__toString()` policy bypass via dynamic mapping keys

More info at https://symfony.com/blog/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys...

Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators

More info at https://symfony.com/blog/cve-2026-48807-sandbox-tostring-policy-bypass-via-traversable-in-join-replace-and-in-not-in-operators...

CVE-2026-45066: HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification

More info at https://symfony.com/cve-2026-45066...

5.8AI score0.00048EPSS

Friends Of PHP•added 6 days ago•6 views

Silent HTTPS proxy downgrade to cleartext

Impact The built-in cURL handlers GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available accept an https:// proxy — a proxy reached over a TLS-encrypted connection — through the proxy request option, client-level proxy...

5.9CVSS5.9AI score

Friends Of PHP•added 6 days ago•6 views

CRLF injection in HTTP start-line serialization

Impact guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x...

4.8CVSS5.8AI score

Friends Of PHP•added 2026/06/09 9:2 a.m.•6 views

TYPO3-CORE-SA-2026-017: Privilege Escalation & SQL Injection in Form Framework

More info at https://typo3.org/security/advisory/typo3-core-sa-2026-017...

8.7CVSS5.4AI score0.00244EPSS

Friends Of PHP•added 2026/06/09 9:1 a.m.•6 views

TYPO3-CORE-SA-2026-016: Broken Access Control in File Abstraction Layer

More info at https://typo3.org/security/advisory/typo3-core-sa-2026-016...

2.1CVSS5.4AI score0.00356EPSS