1702 matches found
CVE-2019-18886: Prevent user enumeration using switch user functionality
More info at https://symfony.com/cve-2019-18886...
CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances
More info at https://symfony.com/cve-2019-18889...
CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient
More info at https://symfony.com/cve-2024-50342...
CVE-2024-50341: Security::login does not take into account custom user_checker
More info at https://symfony.com/cve-2024-50341...
CVE-2024-50345: Open redirect via browser-sanitized URLs
More info at https://symfony.com/cve-2024-50345...
CVE-2023-46733: Potential XSS in WebhookController
More info at https://symfony.com/cve-2023-46733...
CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters
More info at https://symfony.com/cve-2023-46734...
CVE-2019-10911: Add a separator in the remember me cookie hash
More info at https://symfony.com/cve-2019-10911...
CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
More info at https://symfony.com/cve-2026-45069...
Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data...
CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names
More info at https://symfony.com/cve-2026-45070...
CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
More info at https://symfony.com/cve-2026-45071...
PHP Code Injection
phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to...
Cross-Site Scripting
I've picked up on the work started over at https://github.com/erusev/parsedown/pull/276 and rebased on erusev/master. Since this is rebased on master, I can't point at PR at naNuke/master without running into the merge conflicts that I've already resolved manually. I've implemented what I suggest...
PHP Code Injection
phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to...
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
More info at https://www.drupal.org/sa-core-2020-007...
External URL injection through URL aliases - Moderately Critical - Open Redirect
More info at https://www.drupal.org/sa-core-2018-006...
CVE-2024-50343: Incorrect response from Validator when input ends with ` `
More info at https://symfony.com/cve-2024-50343...
CVE-2024-50340: Ability to change environment from query
More info at https://symfony.com/cve-2024-50340...
CVE-2024-50340: Ability to change environment from query
More info at https://symfony.com/cve-2024-50340...
Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-004...
CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
More info at https://symfony.com/cve-2026-46626...
Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
More info at https://www.drupal.org/sa-core-2020-009...
CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content
More info at https://symfony.com/cve-2026-48761...
CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass
More info at https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass...
Cross-Site Scripting
I've picked up on the work started over at 276 and rebased on erusev/master. Since this is rebased on master, I can't point at PR at naNuke/master without running into the merge conflicts that I've already resolved manually. I've implemented what I suggested earlier so that all attributes are...
SS-2018-015: Vulnerable dependency
More info at https://www.silverstripe.org/download/security-releases/ss-2018-015/...
CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
More info at https://symfony.com/cve-2026-48784...
Moderately critical - Cross Site Scripting - SA-CORE-2019-004
More info at https://www.drupal.org/SA-CORE-2019-004...
CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
More info at https://symfony.com/cve-2026-45069...
CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
More info at https://symfony.com/cve-2026-45065...
Drupal core - Moderately critical - Denial of Service
More info at https://www.drupal.org/sa-core-2024-001...
Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
More info at https://www.drupal.org/sa-core-2020-009...
CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
More info at https://symfony.com/cve-2026-45065...
PHP Code Injection
phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to...
Reflected Cross-Site-Scripting
More info at https://simplesamlphp.org/security/201907-01...
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
More info at https://www.drupal.org/sa-core-2020-013...
External URL injection through URL aliases - Moderately Critical - Open Redirect
More info at https://www.drupal.org/sa-core-2018-006...
CVE-2019-10912: Prevent destructors with side-effects from being unserialized
More info at https://symfony.com/cve-2019-10912...
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005
More info at https://www.drupal.org/sa-core-2021-005...
CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
More info at https://symfony.com/cve-2026-45305...
CVE-2024-50343: Incorrect response from Validator when input ends with ` `
More info at https://symfony.com/cve-2024-50343...
Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-004...
CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
More info at https://symfony.com/cve-2026-46626...
Code injection vulnerability in allSelectors()
More info at https://packetstormsecurity.com/files/cve/CVE-2020-13756...
Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011
More info at https://www.drupal.org/sa-core-2019-011...
Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012
More info at https://www.drupal.org/sa-core-2019-012...
Anonymous Open Redirect - Moderately Critical - Open Redirect
More info at https://www.drupal.org/sa-core-2018-006...
Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012
More info at https://www.drupal.org/sa-core-2019-012...
CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection
More info at https://symfony.com/cve-2026-45754...