Friendsofphp - Page 32 of Friendsofphp Vulnerabilities List

Friends Of PHP•added 1970/01/01 12:0 a.m.•23 views

CVE-2019-18887: Use constant time comparison in UriSigner

More info at https://symfony.com/cve-2019-18887...

8.1CVSS7.2AI score0.01338EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•27 views

Unguarded calls to __toString() when nesting an object into an array

More info at https://symfony.com/blog/cve-2024-51754-unguarded-calls-to-tostring-in-a-sandbox-when-an-object-is-in-an-array-or-an-argument-list...

2.2CVSS5.9AI score0.0044EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•5 views

Sandbox does not protect against resource exhaustion

More info at https://symfony.com/cve-2026-46627...

Friends Of PHP•added 1970/01/01 12:0 a.m.•6 views

Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

More info at https://symfony.com/blog/cve-2026-48805-sandbox-state-regression-in-deprecated-internal-wrappers-in-src-resources-core-php...

Friends Of PHP•added 1970/01/01 12:0 a.m.•7 views

Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

More info at https://symfony.com/blog/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface...

Friends Of PHP•added 1970/01/01 12:0 a.m.•7 views

Sandbox `__toString()` policy bypass via dynamic mapping keys

More info at https://symfony.com/blog/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys...

Friends Of PHP•added 1970/01/01 12:0 a.m.•5 views

CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names

More info at https://symfony.com/cve-2026-45070...

5.8AI score0.00056EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•7 views

Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators

More info at https://symfony.com/blog/cve-2026-48807-sandbox-tostring-policy-bypass-via-traversable-in-join-replace-and-in-not-in-operators...

Friends Of PHP•added 1970/01/01 12:0 a.m.•16 views

Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

More info at https://symfony.com/blog/cve-2024-51755-unguarded-calls-to-isset-and-to-array-accesses-in-a-sandbox...

2.2CVSS5.9AI score0.00414EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•26 views

CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser

More info at https://symfony.com/cve-2019-18888...

7.5CVSS7.2AI score0.02248EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•5 views

CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

More info at https://symfony.com/cve-2026-48760...

5.8AI score0.00025EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•6 views

CVE-2026-45067: Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address

More info at https://symfony.com/cve-2026-45067...

5.8AI score0.00062EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•3 views

The `spaceless` filter implicitly marks its output as safe

More info at https://symfony.com/cve-2026-46628...

5.8AI score0.00056EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•21 views

CVE-2019-10913: Reject invalid HTTP method overrides

More info at https://symfony.com/cve-2019-10913...

9.8CVSS7.2AI score0.01854EPSS

CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits: ReDoS

More info at https://symfony.com/cve-2026-45756...

5.8AI score0.00082EPSS

PHP code injection via `{% use %}` template name

More info at https://symfony.com/cve-2026-46633...

5.8AI score0.00357EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•35 views

CVE-2023-46733: Potential XSS in WebhookController

More info at https://symfony.com/cve-2023-46733...

6.5CVSS7.2AI score0.00689EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•30 views

CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters

More info at https://symfony.com/cve-2023-46734...

6.1CVSS7.2AI score0.00682EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•30 views

CVE-2023-46733: Possible session fixation

More info at https://symfony.com/cve-2023-46733...

6.5CVSS7.2AI score0.00689EPSS

CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes

More info at https://symfony.com/cve-2026-48489...

5.8AI score0.00058EPSS

CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay

More info at https://symfony.com/cve-2026-45074...

5.8AI score0.00064EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•23 views

CVE-2019-18886: Prevent user enumeration using switch user functionality

More info at https://symfony.com/cve-2019-18886...

5.3CVSS7.2AI score0.01552EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•27 views

CVE-2019-10911: Add a separator in the remember me cookie hash

More info at https://symfony.com/cve-2019-10911...

7.5CVSS7.2AI score0.01243EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•3 views

CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator

More info at https://symfony.com/cve-2026-45063...

5.8AI score0.00069EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•3 views

CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

More info at https://symfony.com/cve-2026-45069...

5.8AI score0.0005EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•17 views

CVE-2024-51736: Command execution hijack on Windows with Process class

More info at https://symfony.com/cve-2024-51736...

9.8CVSS6.6AI score0.0043EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•26 views

CVE-2024-50340: Ability to change environment from query

More info at https://symfony.com/cve-2024-50340...

7.3CVSS6.6AI score0.63422EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•19 views

CVE-2019-10911: Add a separator in the remember me cookie hash

More info at https://symfony.com/cve-2019-10911...

7.5CVSS7.2AI score0.01243EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•34 views

CVE-2019-18886: Prevent user enumeration using switch user functionality

More info at https://symfony.com/cve-2019-18886...

5.3CVSS7.2AI score0.01552EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•39 views

CVE-2019-10913: Reject invalid HTTP method overrides

More info at https://symfony.com/cve-2019-10913...

9.8CVSS7.2AI score0.01854EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•28 views

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

More info at https://symfony.com/cve-2019-10912...

7.1CVSS7.2AI score0.02302EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•29 views

CVE-2019-18887: Use constant time comparison in UriSigner

More info at https://symfony.com/cve-2019-18887...

8.1CVSS7.2AI score0.01338EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•24 views

CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser

More info at https://symfony.com/cve-2019-18888...

7.5CVSS7.2AI score0.02248EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•25 views

CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances

More info at https://symfony.com/cve-2019-18889...

9.8CVSS7.2AI score0.33247EPSS

Friends Of PHP•added 1970/01/01 12:0 a.m.•14 views

XSS in various backend modules

More info at https://www.neos.io/blog/xss-in-various-backend-modules.html...

5.4CVSS7.2AI score0.00564EPSS

Exploits1Affected Software1

Friends Of PHP•added 1970/01/01 12:0 a.m.•13 views

Tabnabbing when opening URI with menu "Open URI in a new tab"

More info at https://www.passbolt.com/incidents/20190807multiplevulnerabilities...

7.2AI score

Friends Of PHP•added 1970/01/01 12:0 a.m.•15 views

Padding Oracle Vulnerability in RSA Encryption

Hi, https://github.com/pagarme/pagarme-php/blob/master/lib/Pagarme/CardHashCommon.php This class has a confusing name. CardHash implies a cryptographic hash e.g. SHA256 is being used, but you're encrypting with RSA. Interestingly, you're not specifying the padding client-side, so you're encryptin...

6.8AI score

Friends Of PHP•added 1970/01/01 12:0 a.m.•12 views

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

More info at https://www.drupal.org/sa-core-2020-013...

7.2AI score

Friends Of PHP•added 1970/01/01 12:0 a.m.•10 views

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005

More info at https://www.drupal.org/sa-core-2021-005...

7.2AI score

Friends Of PHP•added 1970/01/01 12:0 a.m.•24 views

Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data...

9.8CVSS9.3AI score0.26172EPSS

Exploits7Affected Software1

Friends Of PHP•added 1970/01/01 12:0 a.m.•17 views

Possible cross-site scripting (XSS) vulnerability in the Blade templating engine

A security researcher has disclosed a possible XSS vulnerability in the Blade templating engine. Given the following two Blade templates: resources/views/parent.blade.php: html @section'content' @show resources/views/child.blade.php: html @extends'parent' @section'content' @endsection And a route...

6.1CVSS5.8AI score0.00799EPSS

Exploits1Affected Software1

Friends Of PHP•added 1970/01/01 12:0 a.m.•19 views

TOTP throttle not enforced cross-wiki

More info at https://phabricator.wikimedia.org/T251661...

7.5CVSS7.2AI score0.01752EPSS

Exploits1Affected Software1

Friends Of PHP•added 1970/01/01 12:0 a.m.•26 views

Unauthenticated crypto and weak IV in Magento\Framework\Encryption

More info at http://www.openwall.com/lists/oss-security/2016/07/19/3...

7.5CVSS7.2AI score0.00846EPSS