php 2026
Firefly III Stored XSS in Piggy Bank Names via Audit Logs
Stored XSS vulnerability: piggy bank names are rendered unsanitized in audit log views, allowing arbitrary JavaScript execution.
typo3/html-sanitizer: Whitespace-variant closing tags bypass sanitization when ALLOW_INSECURE_RAW_TEXT is enabled
When ALLOW_INSECURE_RAW_TEXT is enabled, the sanitizer fails to recognize whitespace-variant closing tags (e.
typo3/cms-core: XSS in Indexed Search plugin via unsanitized page titles
Cross-Site Scripting vulnerability in Indexed Search plugin: page titles with HTML markup are stored in search index without sanit
typo3/cms-core: Missing read permission check in clipboard allows unauthorized data access
Backend users could insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, allowing un
typo3/cms-core: Missing permission checks in Backend API file metadata routes
Authenticated backend users could retrieve file metadata via Backend API routes without proper permission checks, allowing access
typo3/cms-core: Path Allowance Check Bypass in GeneralUtility::isAllowedAbsPath()
The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a dire
typo3/cms-core: VariableFrontend and Registry now prevent PHP Object Injection
VariableFrontend and Registry now deserialize PHP payloads with integrity validation and class restrictions, preventing PHP Object
typo3/cms-core: Backend users could move records without source edit permissions
Backend users could move records to a different page without edit permissions on the source page.
typo3/html-sanitizer: Namespace attribute encoding bypass (XSS)
Namespace attributes are not encoded correctly during HTML serialization, allowing bypass of the cross-site scripting prevention m
typo3/cms-core: Open redirect in GeneralUtility::sanitizeLocalUrl
Applications using GeneralUtility::sanitizeLocalUrl are vulnerable to open redirect attacks if the URL is used after sanitization.
typo3/cms-core: Recycler module privilege escalation fix
Backend users with Recycler module access could restore soft-deleted records on unauthorized pages or tables.
typo3/cms-core: Unauthorized file download via fallback storage in Media Module
Backend users with file download permissions could download files from the fallback storage of the file abstraction layer (FAL) vi
typo3/cms-core: File upload bypass via mixed-case extensions leads to SQL injection and privilege escalation
Backend users with file write permissions can upload form definition files with mixed-case extensions (e.
typo3/cms-core: Form Framework SQL Injection and Privilege Escalation via DataHandler
Backend users with write access to the form_definition table can bypass Form Framework's persistence validation and permission che
typo3/cms-core: Missing authorization check allows non-privileged users to modify root folders of file mounts
Non-privileged backend users with file mount access could perform write operations (move, delete, rename) on root folders of activ
typo3/cms-core: Form Framework File Inclusion Vulnerability
Backend users with Form Framework access could use files not ending in .
Laracon US 2026 Speaker Lineup Announced
Laracon US 2026 announced its full speaker lineup for July 28-29 in Boston, including Taylor Otwell, Aaron Francis, Nuno Maduro, a
guzzlehttp/psr7 CRLF Injection via Host Header
guzzlehttp/psr7 now rejects ASCII control characters, whitespace, and DEL in first-party URI host components, preventing CRLF inje
guzzlehttp/psr7: Malformed Host header misinterpretation in URI construction
guzzlehttp/psr7 improperly interpreted malformed Host header values when constructing request URIs from inbound request data, pote
guzzlehttp/guzzle-services: CDATA injection via unsafe XML serialization
guzzlehttp/guzzle-services does not safely serialize scalar XML element values containing the CDATA terminator `]]>`, allowing att
filament/tables: Validation bypass in AttachAction and AssociateAction with recordSelectOptionsQuery()
The `recordSelectOptionsQuery()` method scopes options for Select fields in AttachAction and AssociateAction, but the built-in val
CodeIgniter 4 ext_in Validation Bypass via MIME Extension
The `ext_in` upload validation rule used the MIME-derived guessed extension instead of the client-provided filename extension, all
symfony/runtime: Incomplete CVE-2024-50340 fix allows argv injection via web SAPI
The original fix for CVE-2024-50340 gated argv reading on empty($_GET).
pheditor: OS Command Injection in Terminal Handler
An OS Command Injection vulnerability was discovered in pheditor's terminal handler.
laravel/framework v13.12.0 released
Version 13.12.0 of laravel/framework has been released on Packagist.
laravel/framework v12.61.0 released
Release of version 12.61.0 of the laravel/framework package on Packagist.
guzzlehttp/guzzle 7.10.5 Released
Release of version 7.10.5 for guzzlehttp/guzzle.
symfony/http-foundation v8.1.0 released
Version v8.1.0 of symfony/http-foundation provides an object-oriented layer for the HTTP specification.
symfony/console v8.1.0: New Release with Improved CLI Creation
New release of symfony/console v8.
guzzlehttp/guzzle 7.10.6 released
Version 7.10.6 of guzzlehttp/guzzle was released.
guzzlehttp/guzzle 7.11.0 released
Version 7.11.0 of guzzlehttp/guzzle has been released.
PHPUnit 13.1.14 Patch Release
Release of PHPUnit version 13.1.14, a patch update in the 13.1.x series.
Laravel Framework v12.61.1 Released
Release of version 12.61.1 of the laravel/framework package on Packagist.
PHPUnit 13.2.0 Released
PHPUnit version 13.2.0 has been released.
Laravel 13.14: JsonSchema::fromArray() and Queue/Job Fixes
Laravel 13.14 adds JsonSchema::fromArray() for converting JSON Schema arrays back into Type objects, queue inheritance fixes, job
laravel/framework v12.62.0 released
Version 12.62.0 of the laravel/framework package has been released.
AVideo YouTubeAPI Plugin Reflected XSS via search Parameter
Reflected XSS vulnerability in YouTubeAPI plugin: unsanitized $_GET['search'] concatenated into href attributes in plugin/YouTubeA
AVideo YouTubeAPI Plugin Stored XSS via snippet.title
Stored XSS vulnerability in AVideo YouTubeAPI plugin: `snippet.
Shopware Platform: Privilege Escalation via Sync API Bypass
A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admi
Shopware Platform: user_recovery hash exposed via Admin API
The `user_recovery` entity exposes its `hash` field through the Admin API search endpoint (`POST /api/search/user-recovery`), allo
shopware/platform: Non-admin users can escalate to admin via UserController::upsertUser()
UserController::upsertUser() writes user data in SYSTEM_SCOPE and does not filter the admin field, allowing non-admin API users wi
shopware/platform OAuth user repository timing attack vulnerability
A timing attack vulnerability in the OAuth user repository allows enumeration of administrator usernames.
shopware/core: Open redirect via Referer header in SSO endpoint
The public SSO entry point at GET /api/oauth/sso/auth uses the Referer header as a fallback redirect destination when the expected
shopware/platform: Missing ACL checks on order state transition endpoints
Order state transition endpoints in the Admin API are missing ACL privilege checks, allowing low-privileged users to change order
shopware/platform: Missing authorization in /store-api/handle-payment
The Store API endpoint `/store-api/handle-payment` lacks object-level authorization, allowing a low-privileged user to trigger pay
shopware/core: SVG uploads allow stored XSS
SVG files are allowed in the media manager upload whitelist but are not sanitized, enabling stored XSS via malicious SVG content.
shopware/core: Missing IP validation in /api/_action/media/external-link endpoint
The `/api/_action/media/external-link` endpoint in Shopware's core allows authenticated admin users to make server-side HTTP HEAD
Shopper Framework: Missing Authorization on Sub-form Livewire Components
Sub-form Livewire components (Edit, Inventory, Seo, Shipping, Files) in the product editor had no authorization on their store() m
Shopper Framework: Missing permission checks on admin table actions (fixed in v2.8.0)
Admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions without permission checks.
twig/twig: XSS fix in HtmlDumper escapes template and profile names
Twig\Profiler\Dumper\HtmlDumper now escapes template and profile names with htmlspecialchars() before outputting them in HTML.
Poweradmin v4.4.0 CSV Injection and Path Disclosure in Log Export
CSV Injection (Formula Injection) vulnerability in log export: user-controlled username field written to CSV without sanitizing fo
Froxlor API Authentication Bypasses Two-Factor Authentication
FroxlorRPC::validateAuth does not enforce Two-Factor Authentication.
wwbn/avideo: Stored XSS via WebSocket message json key bypass
Stored XSS vulnerability in AVideo's WebSocket messaging system: MessageSQLite.
AVideo YPTSocket Plugin Unauthenticated Stored DOM XSS via page_title
Unauthenticated stored DOM XSS via `page_title` broadcast in AVideo YPTSocket plugin.
TinyMCE Stored XSS via data-mce-* Attributes
Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).
TinyMCE Stored XSS via forged mce:protected comments
Stored XSS vulnerability via forged mce:protected comments allows attackers to bypass sanitization and inject scripts when content
TinyMCE Media Plugin Stored XSS Vulnerability
A stored XSS vulnerability in the media plugin allows attackers to inject malicious scripts via crafted data-mce-* attributes.
shopper/framework: Three security defects in admin Livewire components
Three security defects in admin Livewire components: IDOR via unlocked properties, sensitive data disclosure through Hidden passwo
shopper/framework: Authorization bypass in team settings (fixed in v2.8.0)
Two authorization defects in team settings allowed any authenticated panel user to take over the RBAC system: Settings/Team/Index
Twig Sandbox Bypass via SourcePolicyInterface for sort/filter/map/reduce
Twig's sandbox restriction for callback-accepting filters (sort, filter, map, reduce) is not always applied when using a SourcePol
Twig Sandbox Bypass via __toString() Calls
The sandbox security mechanism was bypassed because SandboxNodeVisitor only wrapped a hardcoded list of AST nodes in CheckToString