Lucene search
K
GithubRecent

33227 matches found

Github Security Blog
Github Security Blog
added 2026/05/28 5:52 p.m.21 views

OpenBao's Inline Auth Incorrectly Redacted Headers

Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source...

5.8AI score0.00029EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 5:44 p.m.17 views

compliance-trestle - jinja has an Arbitrary File Write via Path Traversal

Relevant Products/Components: trestle/core/commands/author/jinja.py trestle author jinja --- Detailed Description: The -o/--output argument in trestle author jinja allows writing files outside the intended workspace. The application does not properly validate: ../ ..\ absolute paths This allows...

6.2AI score0.0005EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 5:37 p.m.18 views

OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL

Impact OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented sys/revoke and sys/renew endpoints. Patch This will be address...

5.8AI score0.00046EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 5:37 p.m.22 views

compliance-trestle Profile Import has an Arbitrary File Read via trestle:// URI and Relative Path Traversal

Summary The compliance-trestle library's profile import mechanism resolves trestle:// URIs and relative file paths by joining them with trestleroot and calling .resolve, but performs no boundary check to ensure the resolved path stays within the trestle workspace. An attacker can craft a maliciou...

5.9AI score0.00061EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 5:34 p.m.40 views

Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS

Description The JsonPath component's match and search filter functions compile a caller-supplied pattern straight into pregmatch: php 'match' = @pregmatch\sprintf'/^%s$/u', $this-transformJsonPathRegex$argList1, $value, 'search' = @pregmatch"/$this-transformJsonPathRegex$argList1/u", $value,...

5.8AI score0.00082EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/28 5:33 p.m.20 views

Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection

Description The Mailtrap mailer bridge ships a webhook request parser used to authenticate and decode the event callbacks Mailtrap POSTs to an application's webhook endpoint. Its doParseRequest $request, \SensitiveParameter string $secret method receives the configured webhook secret but never...

5.8AI score0.00026EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/28 5:22 p.m.11 views

Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection

Description The Mailjet mailer bridge and the LOX24 SMS notifier bridge both ship webhook request parsers used to authenticate and decode the event callbacks each provider POSTs to an application's webhook endpoint. Their doParseRequest $request, \SensitiveParameter string $secret methods receive...

5.7AI score0.00103EPSS
Exploits0References7Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/28 5:19 p.m.13 views

opentelemetry-go's Schema ParseFile leaks file descriptors on each parse

Summary go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1 leaks one file descriptor on each successful ParseFile call. ParseFile opens the schema file and passes it to Parse without closing it; repeated parsing in a long-running process can exhaust the process file...

5.5CVSS5.9AI score0.00168EPSS
Exploits1References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/28 5:4 p.m.14 views

opentelemetry-go's baggage parsing no longer caps raw header length

Summary https://github.com/open-telemetry/opentelemetry-go/pull/7880 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Details The commit removes the upfront baggage-string length check and the...

5.3CVSS5.9AI score0.00237EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/28 5:2 p.m.9 views

Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability

TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability Summary The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Tenant administrators can...

9.1CVSS6AI score0.0043EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 5:1 p.m.18 views

Capsule Namespace Hijacking via subresource

Summary To defend against namespace hijacking achieved through update/patch operations on namespaces, Capsule uses a webhook to validate update requests targeting namespaces. However, in Kubernetes, the namespace/finalize and namespace/status subresource APIs can also modify various fields of a...

3.9CVSS5.8AI score0.00202EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 4:43 p.m.13 views

Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is...

5.8AI score0.00082EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/28 3:39 p.m.4 views

QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer c...

6.3CVSS6.4AI score0.0037EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 3:39 p.m.6 views

Apache Artemis has an Incorrect Authorization issue

A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for...

4.3CVSS5.7AI score0.00372EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 12:30 p.m.4 views

Apache Ignite REST API Has a Relative Path Traversal Vulnerability

Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0. Users are recommended to upgrade to version...

8.5CVSS5.8AI score0.00526EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 9:31 a.m.4 views

KubeVirt has a Link Following issue

A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link symlink within an exported filesystem Persistent Volume Claim PVC that points...

7.7CVSS5.9AI score0.00516EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.6 views

Keycloak has Insufficient Session Expiration

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been...

6.8CVSS5.8AI score0.00305EPSS
Exploits0References15Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.7 views

Keycloak has an Out-of-bounds Read

A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an...

5.3CVSS5.8AI score0.00417EPSS
Exploits0References15Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.5 views

Keycloak Vulnerable to Improper Validation of Specified Quantity in Input

A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol LDAP server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password...

4.9CVSS5.8AI score0.00476EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.5 views

Keycloak has an Authentication Bypass by Primary Weakness

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS5.7AI score0.00206EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.3 views

Keycloak has an Improper Verification of Cryptographic Signature issue

A flaw was found in Keycloak. When a JSON Web Encryption JWE encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leadin...

7.5CVSS5.8AI score0.0012EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.5 views

Keycloak has a Time-of-check Time-of-use (TOCTOU) Race Condition

A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...

6.5CVSS5.7AI score0.00186EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.3 views

Duplicate Advisory: Keycloak has privilege escalation via improper scope mapping enforcement

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-32h4-44jj-c5vx. This link is maintained to preserve external references. Original Description A flaw was found in Keycloak's Fine-Grained Admin Permissions FGAPv2 feature. An administrator with limited client...

7.3CVSS5.7AI score0.00292EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.5 views

Keycloak Vulnerable to Incorrect Authorization

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

4.3CVSS5.7AI score0.00214EPSS
Exploits0References15Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.9 views

Keycloak Vulnerable to Improper Handling of Insufficient Permissions or Privilege

A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers client-type, client-roles, client-attributes, client-scopes are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed...

6.5CVSS5.8AI score0.00267EPSS
Exploits0References14Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.7 views

json-2-csv vulnerable to CSV Injection via the preventCsvInjection optio

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications...

7CVSS5.8AI score0.00166EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:31 a.m.4 views

Keycloak Generates an Error Message Containing Sensitive Information

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP Security Assertion Markup Language Enhanced Client or Proxy endpoint with varying client IDs. By observing distinct faultstrings in the...

5.3CVSS5.7AI score0.00331EPSS
Exploits0References14Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 12:30 a.m.5 views

MCP Toolbox for Databases vulnerable to DNS rebinding attacks

Vulnerable to DNS rebinding attacks when using SSE http://b/499408790. During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: header in the SSE initialization handler was inadvertentl...

9.4CVSS5.8AI score0.00279EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 10:57 p.m.18 views

compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal

Summary The compliance-trestle library's remote fetching cache mechanism HTTPSFetcher and SFTPFetcher constructs the local cache file path from the URL path component without sanitizing path traversal sequences ../. When a remote OSCAL profile references a URL with traversal in its path, the HTTP...

6.4AI score0.00047EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 10:51 p.m.19 views

FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations

Summary The GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled is enabled. Details File: server/api/projects/index.js javascript prjApp.get"/api/project", secureFnc, functionreq, res const permission = checkGroupsFncreq;...

5.9AI score0.00088EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 10:50 p.m.16 views

Kata guest escape: runtime-rs guest-root to host-root escape via virtiofs

Summary In the runtime-rs standalone virtio-fs path, verified here with QEMU and verified with Cloud Hypervisor too, Kata Containers runs host virtiofsd as root with: --sandbox none --seccomp none If an attacker has root-equivalent execution inside the Kata guest VM, they can send raw FUSE reques...

6AI score0.00067EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 10:49 p.m.23 views

Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection

Summary A Server-Side Code Injection vulnerability exists in the Yamcs script evaluation engine for Python algorithms. The application dynamically compiles and evaluates user-controlled algorithm text using Jython via the JSR-223 ScriptEngine API without enforcing a secure sandbox. An authenticat...

6.2AI score0.00473EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 10:45 p.m.20 views

Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override

Remote Code Execution via Mission Database algorithm override Summary The Nashorn ScriptEngine used to evaluate user-supplied algorithm text in MdbOverrideApi.updateAlgorithm is constructed without a ClassFilter, allowing a user with the ChangeMissionDatabase privilege to execute arbitrary Java...

6.5AI score0.00562EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 10:34 p.m.18 views

Pimcore has a CustomReports Share Bypass

Summary CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint. - The listing flow filters reports based on report-sharing rules - The detail flow only checks generic reports or reportsconfig permissions As a result, a low-privileged backe...

5.8AI score0.00035EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 10:27 p.m.15 views

Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export

Summary The WordExport export flow only checks whether the current backend user has the feature permission wordexport. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have view...

5.8AI score0.00089EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 9:35 p.m.15 views

AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username

Summary AsyncSSH 2.22.0 expands the OpenSSH-compatible AuthorizedKeysFile %u token with the raw SSH username during pre-authentication server config reload. A server configured with a documented per-user key pattern such as AuthorizedKeysFile authorizedkeys/%u can be made to read an authorized-ke...

5.8AI score0.00221EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 9:34 p.m.33 views

Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex

Description Symfony\Component\Yaml\Parser::cleanup strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '^%YAML: \d.+.\nu', whose \d.+ and . overlap on the dot, that exhibi...

5.8AI score0.00076EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 9:33 p.m.21 views

Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")

Description Symfony\Component\Yaml\Parser resolves YAML aliases anchor during parsing. Aliases that reference collections arrays, stdClass, TaggedValue-wrapped collections can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small inpu...

5.8AI score0.00076EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 9:33 p.m.14 views

Symfony hardened the parser when handling untrusted input

Description Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse. When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level Parser::parseBlock and inline Inline::parseSequence /...

5.8AI score0.00089EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 9:32 p.m.13 views

Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Summary A Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 9:13 p.m.16 views

Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener

Description Symfony\Bridge\Monolog\Command\ServerLogCommand the server:log console command is a development-time helper that opens a TCP listener and displays log records pushed to it by the application's logging pipeline. Two unsafe defaults combine into a remotely reachable PHP...

6.4AI score0.01261EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 9:12 p.m.14 views

Symfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]

Description Symfony's IsGranted'...', IsSignatureValid, and IsCsrfTokenValid... attributes allow you to define a methods: ... argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining methods: 'GET' would be ignored for a HEAD request. O...

5.8AI score0.00052EPSS
Exploits0References7Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/27 9:11 p.m.18 views

Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay

Cas2Handler builds this service parameter from Request::getSchemeAndHttpHost, which reflects the attacker-controlled HTTP Host header whenever Symfony's framework.trustedhosts setting is not configured the default. An attacker who controls any other application registered with the same CAS server...

5.8AI score0.00064EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 9:11 p.m.18 views

Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix

Description Symfony\Component\Cache\Adapter\PdoAdapter is the PDO-backed cache adapter. Its clear$prefix method inherited from AbstractAdapterTrait is documented to delete cache items whose key starts with $prefix. In the non-versioning code path, the caller-supplied $prefix is concatenated into...

6.1AI score0.00062EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 9:10 p.m.20 views

Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering

Description Symfony's profiler, a development only debug UI, renders source-code excerpts on several pages using Twig's custom fileexcerpt filter. This filter renders PHP files via highlightstring which escapes HTML, but renders non-PHP files by splitting on \n and interpolating each line directl...

5.9AI score0.00062EPSS
Exploits0References7Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/27 9:9 p.m.19 views

Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true

Description symfony/dom-crawler provides the Crawler class for navigating HTML/XML documents with CSS/XPath selectors; symfony/browser-kit's HttpBrowser uses it to parse fetched pages. Crawler::addXmlContent sets DOMDocument::$validateOnParse = true before calling loadXML. Setting validateOnParse...

5.8AI score0.00052EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 9:9 p.m.18 views

Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names

Description Symfony\Component\Mime\Header\ParameterizedHeader and the related parameter handling reachable from Symfony\Component\Mime\Header\Headers is responsible for serializing structured headers such as Content-Type and Content-Disposition, which carry key=value parameters e.g...

5.8AI score0.00056EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 9:3 p.m.17 views

Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

Description OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims registers...

5.8AI score0.0005EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 8:46 p.m.13 views

Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address

Description Symfony Mailer selects a transport via the MAILERDSN environment variable / configuration e.g. smtp://..., sendmail://..., native://default. SendmailTransport invokes the local sendmail binary and supports two modes: -bs speak SMTP over stdin: the default and -t read the message on...

5.8AI score0.00062EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 8:42 p.m.12 views

Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address

Description Symfony\Component\Mime\Address is the value-object every Symfony Mailer address to/cc/bcc/from/reply-to flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email...

5.8AI score0.00062EPSS
Exploits0References6Affected Software2
Total number of security vulnerabilities33227