1702 matches found
Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-006...
Contextual Links validation - Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-006...
Class-Name Injection
Tested on 1.8.0-beta-5 In safe mode with html markup disabled, it is possible to insert any classname into a code block like this: \js any-class-name with spaces code \ renders as: code infostring needs some cleanup here:...
CVE-2019-10911: Add a separator in the remember me cookie hash
More info at https://symfony.com/cve-2019-10911...
CVE-2018-14773: Remove support for legacy and risky HTTP headers
More info at https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers...
CVE-2019-10909: Escape validation messages in the PHP templating engine
More info at https://symfony.com/cve-2019-10909...
CVE-2019-10910: Check service IDs are valid
More info at https://symfony.com/cve-2019-10910...
CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
More info at https://symfony.com/cve-2019-18888...
CVE-2019-18887: Use constant time comparison in UriSigner
More info at https://symfony.com/cve-2019-18887...
CVE-2019-10913: Reject invalid HTTP method overrides
More info at https://symfony.com/cve-2019-10913...
CVE-2019-18886: Prevent user enumeration using switch user functionality
More info at https://symfony.com/cve-2019-18886...
CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances
More info at https://symfony.com/cve-2019-18889...
CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient
More info at https://symfony.com/cve-2024-50342...
CVE-2024-50341: Security::login does not take into account custom user_checker
More info at https://symfony.com/cve-2024-50341...
CVE-2024-50345: Open redirect via browser-sanitized URLs
More info at https://symfony.com/cve-2024-50345...
CVE-2023-46733: Potential XSS in WebhookController
More info at https://symfony.com/cve-2023-46733...
CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters
More info at https://symfony.com/cve-2023-46734...
CVE-2019-10911: Add a separator in the remember me cookie hash
More info at https://symfony.com/cve-2019-10911...
CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
More info at https://symfony.com/cve-2026-45069...
Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data...
CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names
More info at https://symfony.com/cve-2026-45070...
CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
More info at https://symfony.com/cve-2026-45071...
CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass
More info at https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass...
Cross-Site Scripting
I've picked up on the work started over at 276 and rebased on erusev/master. Since this is rebased on master, I can't point at PR at naNuke/master without running into the merge conflicts that I've already resolved manually. I've implemented what I suggested earlier so that all attributes are...
SS-2018-015: Vulnerable dependency
More info at https://www.silverstripe.org/download/security-releases/ss-2018-015/...
CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
More info at https://symfony.com/cve-2026-48784...
PHP Code Injection
phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to...
Cross-Site Scripting
I've picked up on the work started over at https://github.com/erusev/parsedown/pull/276 and rebased on erusev/master. Since this is rebased on master, I can't point at PR at naNuke/master without running into the merge conflicts that I've already resolved manually. I've implemented what I suggest...
PHP Code Injection
phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to...
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
More info at https://www.drupal.org/sa-core-2020-007...
External URL injection through URL aliases - Moderately Critical - Open Redirect
More info at https://www.drupal.org/sa-core-2018-006...
CVE-2024-50343: Incorrect response from Validator when input ends with ` `
More info at https://symfony.com/cve-2024-50343...
CVE-2024-50340: Ability to change environment from query
More info at https://symfony.com/cve-2024-50340...
CVE-2024-50340: Ability to change environment from query
More info at https://symfony.com/cve-2024-50340...
Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-004...
CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
More info at https://symfony.com/cve-2026-46626...
Moderately critical - Cross Site Scripting - SA-CORE-2019-004
More info at https://www.drupal.org/SA-CORE-2019-004...
CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
More info at https://symfony.com/cve-2026-45069...
CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
More info at https://symfony.com/cve-2026-45065...
Drupal core - Moderately critical - Denial of Service
More info at https://www.drupal.org/sa-core-2024-001...
Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
More info at https://www.drupal.org/sa-core-2020-009...
CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
More info at https://symfony.com/cve-2026-45065...
PHP Code Injection
phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to...
Reflected Cross-Site-Scripting
More info at https://simplesamlphp.org/security/201907-01...
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
More info at https://www.drupal.org/sa-core-2020-013...
External URL injection through URL aliases - Moderately Critical - Open Redirect
More info at https://www.drupal.org/sa-core-2018-006...
CVE-2019-10912: Prevent destructors with side-effects from being unserialized
More info at https://symfony.com/cve-2019-10912...
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005
More info at https://www.drupal.org/sa-core-2021-005...
CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
More info at https://symfony.com/cve-2026-45305...
CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
More info at https://symfony.com/cve-2026-46626...