1697 matches found
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
More info at https://symfony.com/cve-2026-48736...
CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-45755...
CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
More info at https://symfony.com/cve-2026-45077...
CVE-2019-10912: Prevent destructors with side-effects from being unserialized
More info at https://symfony.com/cve-2019-10912...
CVE-2019-10910: Check service IDs are valid
More info at https://symfony.com/cve-2019-10910...
CVE-2024-51736: Command execution hijack on Windows with Process class
More info at https://symfony.com/cve-2024-51736...
CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
More info at https://symfony.com/cve-2026-45073...
CVE-2020-5220: Ability to define unintended serialisation groups via HTTP header which might lead to data exposure
Impact ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's...
CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
More info at https://symfony.com/cve-2026-45071...
CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient
More info at https://symfony.com/cve-2024-50342...
CVE-2019-10909: Escape validation messages in the PHP templating engine
More info at https://symfony.com/cve-2019-10909...
CVE-2018-14773: Remove support for legacy and risky HTTP headers
More info at https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers...
CVE-2019-10913: Reject invalid HTTP method overrides
More info at https://symfony.com/cve-2019-10913...
CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-45754...
CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
More info at https://symfony.com/cve-2026-45068...
CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
More info at https://symfony.com/cve-2019-18888...
CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits: ReDoS
More info at https://symfony.com/cve-2026-45756...
CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-45754...
CVE-2024-50345: Open redirect via browser-sanitized URLs
More info at https://symfony.com/cve-2024-50345...
CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass
More info at https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass...
PHP Code Injection
phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...
PHP Code Injection
phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...
Information disclosure in the back end
More info at https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html...
Existing sessions are not correctly invalidated when a user changes their password
More info at https://contao.org/en/news/security-vulnerability-cve-2019-10641.html...
SQL injection vulnerabililty in the file manager search filter
More info at https://contao.org/en/news/security-vulnerability-cve-2019-11512.html...
Denial of Service via HTTP/2 CONTINUATION Frames
amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of...
Denial of Service via HTTP/2 CONTINUATION Frames
Early versions of amphp/http-client with HTTP/2 support v4.0.0-rc10 to 4.0.0 will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client v4.1.0-rc1...
PHP file inclusion via insert tags
More info at https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.html...
Privilege escalation with the form generator
More info at https://contao.org/en/security-advisories/privilege-escalation-with-the-form-generator.html...
Cross-site scripting (XSS) vulnerability in the system log
More info at https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021.html...
Insert tag injection in front end forms
More info at https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html...
Existing sessions are not correctly invalidated when a user changes their password
More info at https://contao.org/en/news/security-vulnerability-cve-2019-10641.html...
Unrestricted file uploads
More info at https://contao.org/en/security-advisories/unrestricted-file-uploads.html...
Cross site scripting via HTML attributes in the back end
More info at https://contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.html...
External URL injection through URL aliases - Moderately Critical - Open Redirect
More info at https://www.drupal.org/sa-core-2018-006...
Content moderation - Moderately critical - Access bypass
More info at https://www.drupal.org/sa-core-2018-006...
Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-006...
Contextual Links validation - Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-006...
Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009
More info at https://www.drupal.org/sa-core-2019-009...
Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009
More info at https://www.drupal.org/sa-core-2019-009...
Insert tag injection in front end forms
More info at https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html...
Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011
More info at https://www.drupal.org/sa-core-2019-011...
SQL injection vulnerabililty in the file manager search filter
More info at https://contao.org/en/news/security-vulnerability-cve-2019-11512.html...
Information disclosure in the back end
More info at https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html...
Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010
More info at https://www.drupal.org/sa-core-2019-010...
Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010
More info at https://www.drupal.org/sa-core-2019-010...
Anonymous Open Redirect - Moderately Critical - Open Redirect
More info at https://www.drupal.org/sa-core-2018-006...
Content moderation - Moderately critical - Access bypass
More info at https://www.drupal.org/sa-core-2018-006...
External URL injection through URL aliases - Moderately Critical - Open Redirect
More info at https://www.drupal.org/sa-core-2018-006...
Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-006...