1702 matches found
CVE-2026-54718 - Remote code execution via advanced workflow email template
More info at https://www.silverstripe.org/download/security-releases/cve-2026-54718...
CVE-2026-54721 - Remote code execution via userforms email subject
More info at https://www.silverstripe.org/download/security-releases/cve-2026-54721...
CVE-2026-55779 - XSS in archive admin restore
More info at https://www.silverstripe.org/download/security-releases/cve-2026-55779...
CVE-2026-54720 - XSS attack through media embed
More info at https://www.silverstripe.org/download/security-releases/cve-2026-54720...
CVE-2026-54717 - XSS in breadcrumbs in page list view
More info at https://www.silverstripe.org/download/security-releases/cve-2026-54717...
symfony/ux-toolkit Path Traversal allows arbitrary file write and read via crafted recipe manifest
Description The ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map. The only guard against malicious paths was Path::isRelative, which returns true for paths like ../../../etc. Path::join then resolves the .. segments without complaint, so the...
symfony/ux-icons XSS via unsanitized SVG content in local files and Iconify on-demand responses
Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...
Silent HTTPS proxy downgrade to cleartext
Impact The built-in cURL handlers GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available accept an https:// proxy — a proxy reached over a TLS-encrypted connection — through the proxy request option, client-level proxy...
Dot-only cookie domains match all hosts
Impact CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the...
CRLF injection in HTTP start-line serialization
Impact guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x...
CompilerRuntime code injection via unescaped function names
More info at https://github.com/jmespath/jmespath.php/security/advisories/GHSA-pcw8-m77r-2528...
TYPO3-CORE-SA-2026-019: Broken Access Control in Form Framework
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-019...
TYPO3-CORE-SA-2026-018: Insecure Deserialization in Core API
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-018...
TYPO3-CORE-SA-2026-017: Privilege Escalation & SQL Injection in Form Framework
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-017...
TYPO3-CORE-SA-2026-016: Broken Access Control in File Abstraction Layer
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-016...
TYPO3-CORE-SA-2026-015: Broken Access Control in Backend API
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-015...
TYPO3-CORE-SA-2026-014: Broken Access Control in Clipboard
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-014...
TYPO3-CORE-SA-2026-013: Broken Access Control in Media Module
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-013...
TYPO3-CORE-SA-2026-012: Broken Access Control in DataHandler
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-012...
TYPO3-CORE-SA-2026-011: Broken Access Control in Recycler
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-011...
TYPO3-CORE-SA-2026-010: Cross-Site Scripting in Indexed Search
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-010...
TYPO3-CORE-SA-2026-009: Open Redirect in TYPO3 CMS
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-009...
TYPO3-CORE-SA-2026-008: Broken Access Control in Form Framework
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-008...
TYPO3-CORE-SA-2026-007: Broken Access Control in File Abstraction Layer
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-007...
TYPO3-CORE-SA-2026-006: TYPO3 HTML Sanitizer allows Cross-Site Scripting
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-006...
TYPO3-CORE-SA-2026-006: TYPO3 HTML Sanitizer allows Cross-Site Scripting
More info at https://typo3.org/security/advisory/typo3-core-sa-2026-006...
JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks
Summary JWSVerifier::getAlgorithm in src/Library/Signature/JWSVerifier.php line 144 merges protected and unprotected headers using PHP's spread operator: php $completeHeader = ...$signature-getProtectedHeader, ...$signature-getHeader; In PHP, when spreading arrays with duplicate string keys, the...
JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks
Summary JWSVerifier::getAlgorithm in src/Library/Signature/JWSVerifier.php line 144 merges protected and unprotected headers using PHP's spread operator: php $completeHeader = ...$signature-getProtectedHeader, ...$signature-getHeader; In PHP, when spreading arrays with duplicate string keys, the...
RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
Impact RSACrypt::decryptWithRSA15 used by the RSA15 key-encryption algorithm implements RSAES-PKCS1-v15 decryption by inspecting the padding after RSADP and throwing InvalidArgumentException as soon as the padding is malformed. It does not implement the implicit-rejection countermeasure required ...
RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
Impact RSACrypt::decryptWithRSA15 used by the RSA15 key-encryption algorithm implements RSAES-PKCS1-v15 decryption by inspecting the padding after RSADP and throwing InvalidArgumentException as soon as the padding is malformed. It does not implement the implicit-rejection countermeasure required ...
Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption
Impact The experimental Chacha20Poly1305 key-encryption algorithm generates the 16-byte Poly1305 authentication tag during encryptKey but discards it: the tag is never written to the header and therefore never reaches the wire. On the receiving side, decryptKey calls...
Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption
Impact The experimental Chacha20Poly1305 key-encryption algorithm generates the 16-byte Poly1305 authentication tag during encryptKey but discards it: the tag is never written to the header and therefore never reaches the wire. On the receiving side, decryptKey calls...
PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service
Impact When a JWE uses a password-based key-encryption algorithm PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, PBES2AESKW::unwrapKey reads the p2c PBKDF2 iteration count parameter directly from the attacker-controlled JOSE header and passes it to hashpbkdf2 with no upper bound. The...
PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service
Impact When a JWE uses a password-based key-encryption algorithm PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, PBES2AESKW::unwrapKey reads the p2c PBKDF2 iteration count parameter directly from the attacker-controlled JOSE header and passes it to hashpbkdf2 with no upper bound. The...
Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField
More info at https://github.com/EasyCorp/EasyAdminBundle/security/advisories/GHSA-8559-gwj3-q37r...
XML injection via CDATA terminator in XML request serialization
Impact guzzlehttp/guzzle-services does not safely serialize scalar XML element values containing the CDATA terminator . The XML request serializer writes values containing , or & with XMLWriter::writeCData$value. If attacker-controlled input contains , the CDATA section closes early and the...
Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError
Summary OTPHP\Factory::loadFromProvisioningUri parses an attacker-supplied otpauth:// URI and forwards every query key to OTP::setParameter$key, $value. setParameter resolves the name with propertyexists$this, $parameter and performs a dynamic write $this-$parameter = $value src/OTP.php:196-197...
Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation
Summary The digits parameter parsed from a provisioning URI is validated only with a lower bound $value 0 and has no upper bound src/OTP.php:353-357. OTP generation computes $code % 10 $this-getDigits src/OTP.php:283. When digits is large enough that 10 digits overflows PHP's integer range and th...
symfony/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor
Description When a LiveProp is typed as a DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue falls back to new $className$value. The DateTime / DateTimeImmutable constructors accept relative strings such as "now", "tomorrow",...
symfony/ux-live-component Denial of service via unbounded batch action requests
Description Symfony\UX\LiveComponent\Controller\BatchActionController::invoke iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry event subscribers, validators, Doctrine, rendering. The array size is never bounded, so an authenticated client can...
symfony/ux-live-component XSS via attacker-controlled child component tag
Description Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml interpolates the $childTag argument directly into the HTML output as a tag name, without escaping or validation. The value originates from client-controlled JSON childrenid.tag parsed by LiveComponentSubscriber an...
symfony/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding
Description In symfony/ux-live-component, a component's server-side state is exposed to the browser as a set of props LiveProp-annotated properties. Props marked writable: true can be freely changed by the client. Read-only props are round-tripped to the browser and back, and their integrity is...
symfony/ux-live-component CSRF Protection Bypass: Accept Header is CORS-Safelisted
Description When using symfony/ux-live-component, methods annotated with LiveAction are invokable from the browser and mutate server-side state via AJAX. Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest gated these invocations on the presence of Accept:...
symfony/ux-autocomplete Information exposure via unescaped LIKE wildcards in EntitySearchUtil
Description Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping the SQL LIKE wildcards %, , . The value is passed as a bound parameter, so this is not SQL...
symfony/ux-autocomplete XSS via unescaped AJAX response data
Description The Stimulus controller shipped with symfony/ux-autocomplete renders AJAX response items into the dropdown by interpolating the text field directly into HTML template literals $itemlabelField inside createAutocompleteWithRemoteData. The value is parsed as HTML rather than text, so any...
Path traversal and reflected XSS in Flag and Icon Twig components
EasyAdminBundle ships two public Twig components — and — that load SVG files from disk using a path built directly from a public component property, and then render the resulting markup with the Twig |raw filter. When an application binds either of those properties to data that is influenced by a...
CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence
More info at https://symfony.com/cve-2026-46644...
CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence
More info at https://symfony.com/cve-2026-46644...
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
More info at https://symfony.com/cve-2026-48736...
Host confusion via authority reinterpretation
Impact guzzlehttp/psr7 improperly interpreted malformed Host header values when constructing request URIs from inbound request data. This issue concerns inbound request parsing and server request construction. It does not require serializing a PSR-7 request, and it is not part of the normal...