1702 matches found
SS-2016-010: ReadOnly transformation for formfields exploitable
More info at https://www.silverstripe.org/download/security-releases/ss-2016-010/...
Cross-Site Scripting vulnerability in typolinks
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-018...
SS-2016-005: Brute force bypass on default admin
More info at https://www.silverstripe.org/download/security-releases/ss-2016-005/...
Privilege Escalation in TYPO3 CMS
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-012/...
TYPO3 is susceptible to Cross-Site Flashing
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-014/...
Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word
More info at https://framework.zend.com/security/advisory/ZF2015-09...
SS-2015-027: HtmlEditor embed url sanitisation
More info at https://www.silverstripe.org/download/security-releases/ss-2015-027/...
Filesystem Permissions Issues in Multiple Components
More info at https://framework.zend.com/security/advisory/ZF2015-07...
SS-2015-016: XSS in install.php
More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-016/...
Information Disclosure possibility exploitable by Editors
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-005/...
SS-2015-013: X-Forwarded-Host request hostname injection
More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-013/...
Denial of Service attack through XML payloads
More info at https://bakery.cakephp.org/2015/05/28/cakephp266and306released.html...
Exploit in the private channel authentication
More info at https://blog.pusher.com/update-on-security/...
XSS injection in backoffice
More info at https://thelia.net/version-2-1-2-with-security-fix...
SS-2015-006: XSS In GridField print
More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-006/...
Arbitrary Shell Execution in Swiftmailer library
More info at https://typo3.org/security/advisory/typo3-core-sa-2014-002...
Risk of mass-assignment vulnerabilities
More info at https://laravel.com/docs/5.1/upgradeupgrade-4.1.29...
Potential XSS vector in multiple view helpers
More info at https://framework.zend.com/security/advisory/ZF2014-03...
Potential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer
More info at https://framework.zend.com/security/advisory/ZF2014-02...
Vulnerability in the filesystem loader
More info at http://blog.twig.sensiolabs.org/post/47461911874/security-release-twig-1-12-3-released...
Potential SQL injection due to execution of platform-specific SQL containing interpolations
More info at https://framework.zend.com/security/advisory/ZF2013-03...
Route Parameter Injection Via Query String in Zend\Mvc
More info at https://framework.zend.com/security/advisory/ZF2013-01...
Request::getClientIp() when the trust proxy mode is enabled
More info at https://symfony.com/blog/security-release-symfony-2-0-19-and-2-1-4...
Potential Proxy Injection Vulnerabilities in Multiple Zend Framework 2 Components
More info at https://framework.zend.com/security/advisory/ZF2012-04...
SQL injection possibility
More info at https://www.doctrine-project.org/blog/dbal-security-2011-1.html...
Potential SQL Injection Vector When Using PDO_MySql
More info at https://framework.zend.com/security/advisory/ZF2011-02...
CVE-2026-47212: Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-47212...
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders
More info at https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders...
Signature validation bypass
More info at https://simplesamlphp.org/security/201710-01...
CVE-2026-45067: Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
More info at https://symfony.com/cve-2026-45067...
Sandbox `__toString()` policy bypass via dynamic mapping keys
More info at https://symfony.com/blog/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys...
CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits: ReDoS
More info at https://symfony.com/cve-2026-45756...
CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
More info at https://symfony.com/cve-2026-48760...
CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
More info at https://symfony.com/cve-2026-45064...
CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings
More info at https://symfony.com/cve-2026-45133...
Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009
More info at https://www.drupal.org/sa-core-2019-009...
Exploit of encryption failure vulnerability
More info at https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0...
Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012
More info at https://www.drupal.org/sa-core-2019-012...
Contextual Links validation - Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-006...
CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names
More info at https://symfony.com/cve-2026-45070...
symfony/ux-icons XSS via unsanitized SVG content in local files and Iconify on-demand responses
Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...
Dot-only cookie domains match all hosts
Impact CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the...
CompilerRuntime code injection via unescaped function names
More info at https://github.com/jmespath/jmespath.php/security/advisories/GHSA-pcw8-m77r-2528...
TYPO3-CORE-SA-2026-016: Broken Access Control in File Abstraction Layer
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-016...
TYPO3-CORE-SA-2026-011: Broken Access Control in Recycler
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-011...
TYPO3-CORE-SA-2026-010: Cross-Site Scripting in Indexed Search
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-010...
TYPO3-CORE-SA-2026-006: TYPO3 HTML Sanitizer allows Cross-Site Scripting
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-006...
Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption
Impact The experimental Chacha20Poly1305 key-encryption algorithm generates the 16-byte Poly1305 authentication tag during encryptKey but discards it: the tag is never written to the header and therefore never reaches the wire. On the receiving side, decryptKey calls...
Host confusion via authority reinterpretation
Impact guzzlehttp/psr7 improperly interpreted malformed Host header values when constructing request URIs from inbound request data. This issue concerns inbound request parsing and server request construction. It does not require serializing a PSR-7 request, and it is not part of the normal...
CRLF injection via URI host component
Impact guzzlehttp/psr7 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with GuzzleHttp\Psr7\Message::toString or an equivalent custom serializer. Creating a...