Lucene search
K
FriendsofphpRecent

1702 matches found

Friends Of PHP
Friends Of PHP
added 2026/05/25 10:58 p.m.7 views

CRLF injection via URI host component

Impact guzzlehttp/psr7 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with GuzzleHttp\Psr7\Message::toString or an equivalent custom serializer. Creating a...

5.3CVSS5.9AI score0.00189EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/20 8:0 a.m.17 views

Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation

More info at https://symfony.com/cve-2026-46640...

5.8AI score0.00056EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/20 8:0 a.m.13 views

CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]

More info at https://symfony.com/cve-2026-45075...

5.8AI score0.00052EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/20 8:0 a.m.12 views

CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering

More info at https://symfony.com/cve-2026-45072...

5.8AI score0.00062EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/20 8:0 a.m.12 views

CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]

More info at https://symfony.com/cve-2026-45075...

5.8AI score0.00052EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/20 8:0 a.m.11 views

`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name

More info at https://symfony.com/cve-2026-46634...

5.8AI score0.00031EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/20 8:0 a.m.12 views

Sandbox property and method bypass via object-destructuring assignment

More info at https://symfony.com/cve-2026-46639...

5.8AI score0.00082EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/20 8:0 a.m.12 views

XSS in profiler HtmlDumper via unescaped template and profile names

More info at https://symfony.com/cve-2026-47730...

5.8AI score0.00037EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/20 8:0 a.m.14 views

CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]

More info at https://symfony.com/cve-2026-45075...

5.8AI score0.00052EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/19 12:0 p.m.9 views

SQL Injection in extension "News system" (news)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-010...

8.2CVSS5.8AI score0.00386EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/18 4:40 p.m.19 views

TYPO3-EXT-SA-2026-009: Broken Access Control in extension "Frontend User Registration" (sf_register)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-009...

6.9CVSS5.8AI score0.00352EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/18 3:13 p.m.11 views

TYPO3-EXT-SA-2026-012: SQL Injection in extension "Address List" (tt_address)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-012...

8.2CVSS5.8AI score0.00327EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/18 2:30 p.m.12 views

TYPO3-EXT-SA-2026-011: Path Traversal in extension "Faceted Search" (ke_search)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-011...

5.9CVSS5.8AI score0.00404EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/18 2:30 p.m.15 views

TYPO3-EXT-SA-2026-011: XML External Entity Injection in extension "Faceted Search" (ke_search)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-011...

5.9CVSS5.8AI score0.00301EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/18 2:30 p.m.11 views

TYPO3-EXT-SA-2026-011: Path Traversal in extension "Faceted Search" (ke_search)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-011...

5.9CVSS5.8AI score0.00318EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/13 7:0 a.m.12 views

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

More info at https://github.com/composer/composer/security/advisories/GHSA-f9f8-rm49-7jv2...

5.8AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/13 7:0 a.m.31 views

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Summary Composer leaks the full contents of tokens configured as GitHub OAuth tokens if they do not match Composer's expected format for such tokens to stderr. GitHub has introduced a new format for GitHub Actions GITHUBTOKEN values. These tokens are validated in the same way by Composer on GitHu...

5.7AI score0.00079EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/11 7:18 p.m.12 views

TYPO3-EXT-SA-2026-008: Remote Code Execution in extension "Site Crawler" (crawler)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-008...

7.1CVSS5.8AI score0.00389EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/27 8:30 p.m.14 views

Remote code execution via evaluation of user-controlled input in validation rules

Impact A remote code execution RCE vulnerability affects versions 0.13.2 through 0.13.21. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of...

6.5AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/20 7:0 p.m.18 views

Cross-site scripting (XSS) via script break-out in toScript() output

What's Changed Escape HTML tags in toScript output to prevent script break-out by @freekmurze in https://github.com/spatie/schema-org/pull/242 Values containing passed as schema properties could break out of the generated block and execute injected HTML when the value was attacker-controlled...

5.9AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/17 12:52 p.m.11 views

Argument injection via newline in PHP INI values forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

7.8CVSS6.6AI score0.00343EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/17 12:52 p.m.36 views

Argument injection via newline in PHP INI values forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

7.8CVSS6.6AI score0.00343EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/16 2:30 a.m.12 views

CVE-2026-24749 - DBFile permission bypass

More info at https://www.silverstripe.org/download/security-releases/cve-2026-24749...

5.3CVSS5.7AI score0.00398EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/14 9:42 a.m.20 views

Command injection via malicious Perforce repository definition

Impact The Perforce::generateP4Command method constructed shell commands by interpolating user-supplied Perforce connection parameters port, user, client without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository...

7.8CVSS6.4AI score0.01065EPSS
Exploits4Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/14 9:42 a.m.11 views

Command injection via malicious Perforce source reference/url

Impact The Perforce::syncCodeBase method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the...

8.8CVSS6.3AI score0.01688EPSS
Exploits4Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/07 10:50 a.m.13 views

TYPO3-EXT-SA-2026-013: Remote Code Execution in extension "Content Element Selector" (ceselector)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-013...

9.2CVSS5.8AI score0.02306EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/02/08 10:45 p.m.18 views

Denial of Service via "MadeYouReset" vulnerability

Versions of amphp/http-server prior to 3.4.4 for the 3.x release branch and prior to 2.1.10 for the 2.x release branch are vulnerable to the HTTP/2 "MadeYouReset" DoS attack described by CVE-2025-8671 and https://kb.cert.org/vuls/id/767506. In versions 3.4.4 and 2.1.10, stream reset protection ha...

7.5CVSS5.4AI score0.04604EPSS
Exploits3Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/01/27 5:21 a.m.10 views

Unsafe Deserialization in PHPT Code Coverage Handling

Overview A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious...

7.8CVSS6.7AI score0.00343EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/12/30 12:0 a.m.12 views

Missing check that a point is on the prime subgroup for Edwards25519

More info at https://00f.net/2025/12/30/libsodium-vulnerability...

7AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/12/17 8:15 p.m.23 views

Key Commitment Issues in S3 Encryption Clients

More info at https://aws.amazon.com/security/security-bulletins/AWS-2025-032/...

6CVSS7AI score0.00176EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/05/20 10:0 a.m.25 views

TYPO3-EXT-SA-2025-007: Multiple vulnerabilities in extension "Backup Plus" (ns_backup)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-007...

8.6CVSS7.2AI score0.00301EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/05/20 8:59 a.m.17 views

TYPO3-EXT-SA-2025-005: Cross-Site Scripting in extension "[clickstorm] SEO" (cs_seo)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-005...

6.4CVSS7.2AI score0.00196EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/05/20 12:7 a.m.46 views

TYPO3-EXT-SA-2025-008: Multiple vulnerabilities in extension "Front End User Registration" (sr_feuser_register)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-008...

10CVSS7.2AI score0.00598EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/05/19 12:5 p.m.15 views

symfony/ux-twig-component Unsanitized HTML attribute injection via ComponentAttributes

More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...

6.1CVSS7AI score0.00212EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/05/19 12:5 p.m.15 views

symfony/ux-live-component Unsanitized HTML attribute injection via ComponentAttributes

More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...

6.1CVSS7AI score0.00212EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/05/18 9:8 p.m.54 views

TYPO3-EXT-SA-2025-004: Insecure Direct Object Reference in extension "Download manager" (reint_downloadmanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-004...

8.6CVSS7.2AI score0.00301EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/05/16 3:52 p.m.37 views

TYPO3-EXT-SA-2025-006: Insecure Direct Object Reference in extension "femanager" (femanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-006...

5.3CVSS7.2AI score0.00242EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/04/10 2:37 a.m.15 views

CVE-2025-25197 - XSS attack in elemental "Content blocks in use" report

More info at https://www.silverstripe.org/download/security-releases/cve-2025-25197...

5.4CVSS7.2AI score0.00284EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/04/10 2:37 a.m.14 views

SS-2025-001 - User enumeration via timing attack

More info at https://www.silverstripe.org/download/security-releases/ss-2025-001...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/04/10 2:37 a.m.14 views

CVE-2025-30148 - XSS vulnerability in HTML editor

More info at https://www.silverstripe.org/download/security-releases/cve-2025-30148...

5.4CVSS6.7AI score0.00268EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/04/03 3:3 p.m.12 views

GraphQL grant on a property might be cached with different objects

Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...

7.5CVSS6.8AI score0.00573EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/04/03 3:3 p.m.14 views

GraphQL grant on a property might be cached with different objects

Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...

7.5CVSS6.8AI score0.00573EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/04/03 3:2 p.m.11 views

GraphQL query operations security can be bypassed

Summary Using the Relay special node type you can bypass the configured security on an operation. Details Here is an example of how to apply security configurations for the GraphQL operations: php ApiResource security: "isgranted'ROLEUSER'", operations: / ... / , graphQlOperations: new...

7.5CVSS7.2AI score0.00439EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/04/03 3:2 p.m.13 views

GraphQL query operations security can be bypassed

Summary Using the Relay special node type you can bypass the configured security on an operation. Details Here is an example of how to apply security configurations for the GraphQL operations: php ApiResource security: "isgranted'ROLEUSER'", operations: / ... / , graphQlOperations: new...

7.5CVSS7.2AI score0.00439EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/03/18 9:27 a.m.13 views

TYPO3-EXT-SA-2025-002: Cross-Site Scripting in extension “Additional TCA” (additional_tca)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-002...

6.8AI score0.0036EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/03/18 8:51 a.m.12 views

TYPO3-EXT-SA-2025-003: Multiple vulnerabilities in extension “[clickstorm] SEO” (cs_seo)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-003...

6.8AI score0.00558EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/01/29 6:52 a.m.21 views

Missing output escaping for the null coalesce operator

More info at https://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator...

4.3CVSS4.6AI score0.00282EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/01/27 6:56 p.m.16 views

TYPO3-EXT-SA-2025-001: Account Takeover in extension "OpenID Connect Authentication" (oidc)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-001...

4.2CVSS7.2AI score0.00168EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/01/14 9:24 p.m.15 views

CVE-2024-53277 - XSS in form messages

More info at https://www.silverstripe.org/download/security-releases/cve-2024-53277...

5.4CVSS6.8AI score0.00305EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/01/14 9:24 p.m.16 views

CVE-2024-47605 - XSS via insert media remote file oembed

More info at https://www.silverstripe.org/download/security-releases/cve-2024-47605...

5.4CVSS6.8AI score0.01108EPSS
Exploits2Affected Software1
Total number of security vulnerabilities1702