1697 matches found
CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite: javascript: URI Survives Sanitization (XSS)
More info at https://symfony.com/cve-2026-45753...
CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content
More info at https://symfony.com/cve-2026-48761...
Sandbox does not protect against resource exhaustion
More info at https://symfony.com/cve-2026-46627...
CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names
More info at https://symfony.com/cve-2026-45070...
CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
More info at https://symfony.com/cve-2026-48760...
Anonymous Open Redirect - Moderately Critical - Open Redirect
More info at https://www.drupal.org/sa-core-2018-006...
HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
More info at https://symfony.com/cve-2026-46637...
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders
More info at https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders...
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
More info at https://symfony.com/cve-2026-48736...
HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
More info at https://symfony.com/cve-2026-46637...
CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
More info at https://symfony.com/cve-2026-48784...
Possible sandbox bypass when using a source policy
More info at https://symfony.com/cve-2026-24425...
JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks
Summary JWSVerifier::getAlgorithm in src/Library/Signature/JWSVerifier.php line 144 merges protected and unprotected headers using PHP's spread operator: php $completeHeader = ...$signature-getProtectedHeader, ...$signature-getHeader; In PHP, when spreading arrays with duplicate string keys, the...
RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
Impact RSACrypt::decryptWithRSA15 used by the RSA15 key-encryption algorithm implements RSAES-PKCS1-v15 decryption by inspecting the padding after RSADP and throwing InvalidArgumentException as soon as the padding is malformed. It does not implement the implicit-rejection countermeasure required ...
RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
Impact RSACrypt::decryptWithRSA15 used by the RSA15 key-encryption algorithm implements RSAES-PKCS1-v15 decryption by inspecting the padding after RSADP and throwing InvalidArgumentException as soon as the padding is malformed. It does not implement the implicit-rejection countermeasure required ...
Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField
More info at https://github.com/EasyCorp/EasyAdminBundle/security/advisories/GHSA-8559-gwj3-q37r...
Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError
Summary OTPHP\Factory::loadFromProvisioningUri parses an attacker-supplied otpauth:// URI and forwards every query key to OTP::setParameter$key, $value. setParameter resolves the name with propertyexists$this, $parameter and performs a dynamic write $this-$parameter = $value src/OTP.php:196-197...
Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation
Summary The digits parameter parsed from a provisioning URI is validated only with a lower bound $value 0 and has no upper bound src/OTP.php:353-357. OTP generation computes $code % 10 $this-getDigits src/OTP.php:283. When digits is large enough that 10 digits overflows PHP's integer range and th...
Null reset codes were allowed
More info at https://haxx.ml/post/149975211631/how-i-hacked-your-cfp-and-probably-some-other...
CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits: ReDoS
More info at https://symfony.com/cve-2026-45756...
CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
More info at https://symfony.com/cve-2026-45069...
CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
More info at https://symfony.com/cve-2026-45071...
CVE-2026-47212: Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-47212...
CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
More info at https://symfony.com/cve-2026-45068...
CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-45755...
CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
More info at https://symfony.com/cve-2026-45304...
CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator
More info at https://symfony.com/cve-2026-45063...
CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite: javascript: URI Survives Sanitization (XSS)
More info at https://symfony.com/cve-2026-45753...
CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits: ReDoS
More info at https://symfony.com/cve-2026-45756...
PHP code injection via `{% use %}` template name
More info at https://symfony.com/cve-2026-46633...
CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes
More info at https://symfony.com/cve-2026-48489...
CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
More info at https://symfony.com/cve-2026-45074...
PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser
Product: PhpSpreadsheet Version: 3.8.0 CWE-ID: CWE-918: Server-Side Request Forgery SSRF CVSS vector v.3.1: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS vector v.4.0: 8.7 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Description: SSRF occurs when a processed HTML document is read and...
CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
More info at https://symfony.com/cve-2026-45068...
CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-45755...
Sandbox property allowlist bypass via the `column` filter (array_column on objects)
More info at https://symfony.com/cve-2026-46635...
Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption
Impact The experimental Chacha20Poly1305 key-encryption algorithm generates the 16-byte Poly1305 authentication tag during encryptKey but discards it: the tag is never written to the header and therefore never reaches the wire. On the receiving side, decryptKey calls...
PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service
Impact When a JWE uses a password-based key-encryption algorithm PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, PBES2AESKW::unwrapKey reads the p2c PBKDF2 iteration count parameter directly from the attacker-controlled JOSE header and passes it to hashpbkdf2 with no upper bound. The...
CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings
More info at https://symfony.com/cve-2026-45133...
CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering
More info at https://symfony.com/cve-2026-45072...
CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
More info at https://symfony.com/cve-2026-45073...
The `spaceless` filter implicitly marks its output as safe
More info at https://symfony.com/cve-2026-46628...
CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator
More info at https://symfony.com/cve-2026-45063...
CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
More info at https://symfony.com/cve-2026-45069...
CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-45754...
Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
More info at https://symfony.com/cve-2026-46629...
CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-45754...