| Bikeplan.cz (Symfony) |
CVE-2026-42496 |
Trivy image |
debian |
libperl5.40 |
critical |
perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows a... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-8376 |
Trivy image |
debian |
libperl5.40 |
critical |
Perl versions through 5.43.10 have a heap buffer overflow when compili ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-42496 |
Trivy image |
debian |
perl |
critical |
perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows a... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-8376 |
Trivy image |
debian |
perl |
critical |
Perl versions through 5.43.10 have a heap buffer overflow when compili ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-42496 |
Trivy image |
debian |
perl-base |
critical |
perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows a... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-8376 |
Trivy image |
debian |
perl-base |
critical |
Perl versions through 5.43.10 have a heap buffer overflow when compili ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-42496 |
Trivy image |
debian |
perl-modules-5.40 |
critical |
perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows a... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-8376 |
Trivy image |
debian |
perl-modules-5.40 |
critical |
Perl versions through 5.43.10 have a heap buffer overflow when compili ...... |
N/A |
| CSAT Project (Survey Tool) |
CVE-2026-31789 |
Trivy image |
alpine |
libcrypto3 |
critical |
openssl: OpenSSL: Heap buffer overflow on 32-bit systems from large X.509 certif... |
3.5.6-r0 |
| CSAT Project (Survey Tool) |
CVE-2026-31789 |
Trivy image |
alpine |
libssl3 |
critical |
openssl: OpenSSL: Heap buffer overflow on 32-bit systems from large X.509 certif... |
3.5.6-r0 |
| FQ Majetek |
CVE-2025-7783 |
Trivy image |
node-pkg |
form-data |
critical |
form-data: Unsafe random function in form-data... |
2.5.4, 3.0.4, 4.0.4 |
| Golf (Symfony) |
CVE-2026-42496 |
Trivy image |
debian |
libperl5.40 |
critical |
perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows a... |
N/A |
| Golf (Symfony) |
CVE-2026-8376 |
Trivy image |
debian |
libperl5.40 |
critical |
Perl versions through 5.43.10 have a heap buffer overflow when compili ...... |
N/A |
| Golf (Symfony) |
CVE-2026-42496 |
Trivy image |
debian |
perl |
critical |
perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows a... |
N/A |
| Golf (Symfony) |
CVE-2026-8376 |
Trivy image |
debian |
perl |
critical |
Perl versions through 5.43.10 have a heap buffer overflow when compili ...... |
N/A |
| Golf (Symfony) |
CVE-2026-42496 |
Trivy image |
debian |
perl-base |
critical |
perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows a... |
N/A |
| Golf (Symfony) |
CVE-2026-8376 |
Trivy image |
debian |
perl-base |
critical |
Perl versions through 5.43.10 have a heap buffer overflow when compili ...... |
N/A |
| Golf (Symfony) |
CVE-2026-42496 |
Trivy image |
debian |
perl-modules-5.40 |
critical |
perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows a... |
N/A |
| Golf (Symfony) |
CVE-2026-8376 |
Trivy image |
debian |
perl-modules-5.40 |
critical |
Perl versions through 5.43.10 have a heap buffer overflow when compili ...... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-33845 |
Trivy image |
debian |
libgnutls30 |
critical |
gnutls: GnuTLS: Denial of Service via DTLS zero-length fragment... |
3.7.9-2+deb12u7 |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-42010 |
Trivy image |
debian |
libgnutls30 |
critical |
gnutls: gnutls: Authentication Bypass via NUL Character in Username... |
3.7.9-2+deb12u7 |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-42496 |
Trivy image |
debian |
perl-base |
critical |
perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows a... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-8376 |
Trivy image |
debian |
perl-base |
critical |
Perl versions through 5.43.10 have a heap buffer overflow when compili ...... |
N/A |
| Aplikace výpovědi |
CVE-2024-21538 |
Trivy image |
node-pkg |
cross-spawn |
high |
cross-spawn: regular expression denial of service... |
7.0.5, 6.0.6 |
| Aplikace výpovědi |
CVE-2025-64756 |
Trivy image |
node-pkg |
glob |
high |
glob: glob: Command Injection Vulnerability via Malicious Filenames... |
11.1.0, 10.5.0 |
| Aplikace výpovědi |
CVE-2026-26996 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service via specially crafted glob patterns... |
10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 |
| Aplikace výpovědi |
CVE-2026-27903 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service due to unbounded recursive backtracking ... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 |
| Aplikace výpovědi |
CVE-2026-27904 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob ex... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 |
| Aplikace výpovědi |
CVE-2026-23745 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsa... |
7.5.3 |
| Aplikace výpovědi |
CVE-2026-23950 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision rac... |
7.5.4 |
| Aplikace výpovědi |
CVE-2026-24842 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in ha... |
7.5.7 |
| Aplikace výpovědi |
CVE-2026-26960 |
Trivy image |
node-pkg |
tar |
high |
node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink cre... |
7.5.8 |
| Aplikace výpovědi |
CVE-2026-29786 |
Trivy image |
node-pkg |
tar |
high |
node-tar: hardlink path traversal via drive-relative linkpath... |
7.5.10 |
| Aplikace výpovědi |
CVE-2026-31802 |
Trivy image |
node-pkg |
tar |
high |
tar: tar: File overwrite via drive-relative symlink traversal... |
7.5.11 |
| Aplikace výpovědi |
DOCKERFILE-ROOT-USER |
Dockerfile static checks |
|
dockerfile |
high |
Container runs as root user... |
N/A |
| Aplikace výpovědi |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |
| Bikeplan.cz (Symfony) |
CVE-2015-5723 |
Packagist Security Advisories |
|
doctrine/annotations |
high |
Security Misconfiguration Vulnerability in various Doctrine projects... |
>=1.0.0,<1.2.7 |
| Bikeplan.cz (Symfony) |
CVE-2015-5723 |
Packagist Security Advisories |
|
doctrine/common |
high |
Security Misconfiguration Vulnerability in various Doctrine projects... |
>=2.0.0,<2.4.3|>=2.5.0,<2.5.1 |
| Bikeplan.cz (Symfony) |
CVE-2021-43608 |
Packagist Security Advisories |
|
doctrine/dbal |
high |
SQL Injection in Limit Clause Generation API... |
>=3.0.0,<3.0.99|>=3.1.0,<3.1.4 |
| Bikeplan.cz (Symfony) |
CVE-2015-5723 |
Packagist Security Advisories |
|
doctrine/doctrine-bundle |
high |
Security Misconfiguration Vulnerability in various Doctrine projects... |
<1.5.2 |
| Bikeplan.cz (Symfony) |
CVE-2015-5723 |
Packagist Security Advisories |
|
doctrine/orm |
high |
Security Misconfiguration Vulnerability in various Doctrine projects... |
>=2.0.0,<2.4.8|>=2.5.0,<2.5.1 |
| Bikeplan.cz (Symfony) |
CVE-2025-45769 |
Packagist Security Advisories |
|
firebase/php-jwt |
high |
php-jwt contains weak encryption... |
<7.0.0 |
| Bikeplan.cz (Symfony) |
CVE-2021-46743 |
Packagist Security Advisories |
|
firebase/php-jwt |
high |
Key/algorithm type confusion... |
<6.0.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-6409 |
Packagist Security Advisories |
|
google/protobuf |
high |
Protobuf: Denial of Service issue through malicious messages containing negative... |
<4.33.6 |
| Bikeplan.cz (Symfony) |
CVE-2015-5237 |
Packagist Security Advisories |
|
google/protobuf |
high |
protobuf susceptible to buffer overflow... |
<3.4.0 |
| Bikeplan.cz (Symfony) |
CVE-2022-31091 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
Change in port should be considered a change in origin... |
>=7,<7.4.5|>=4,<6.5.8 |
| Bikeplan.cz (Symfony) |
CVE-2022-31090 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
CURLOPT_HTTPAUTH option not cleared on change of origin... |
>=7,<7.4.5|>=4,<6.5.8 |
| Bikeplan.cz (Symfony) |
CVE-2022-31043 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
Fix failure to strip Authorization header on HTTP downgrade... |
>=7,<7.4.4|>=4,<6.5.7 |
| Bikeplan.cz (Symfony) |
CVE-2022-31042 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
Failure to strip the Cookie header on change in host or HTTP downgrade... |
>=7,<7.4.4|>=4,<6.5.7 |
| Bikeplan.cz (Symfony) |
CVE-2022-29248 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
Cross-domain cookie leakage... |
>=7,<7.4.3|>=4,<6.5.6 |
| Bikeplan.cz (Symfony) |
CVE-2016-5385 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
HTTP Proxy header vulnerability... |
>=6,<6.2.1|>=4.0.0-rc2,<4.2.4|>=5,<5.3.1 |
| Bikeplan.cz (Symfony) |
CVE-2023-29197 |
Packagist Security Advisories |
|
guzzlehttp/psr7 |
high |
Improper header validation... |
>=2,<2.4.5|<1.9.1 |
| Bikeplan.cz (Symfony) |
CVE-2022-24775 |
Packagist Security Advisories |
|
guzzlehttp/psr7 |
high |
Inproper parsing of HTTP headers... |
>=2,<2.1.1|<1.8.4 |
| Bikeplan.cz (Symfony) |
CVE-2026-46643 |
Packagist Security Advisories |
|
knplabs/knp-snappy |
high |
Snappy: Binary path is never shell-escaped due to an inverted is_executable chec... |
<=1.7.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-46683 |
Packagist Security Advisories |
|
knplabs/knp-snappy |
high |
Snappy : SSRF and local file read via the xsl-style-sheet option... |
<=1.6.0 |
| Bikeplan.cz (Symfony) |
CVE-2023-41330 |
Packagist Security Advisories |
|
knplabs/knp-snappy |
high |
Snappy PHAR deserialization vulnerability... |
<=1.4.2 |
| Bikeplan.cz (Symfony) |
CVE-2023-28115 |
Packagist Security Advisories |
|
knplabs/knp-snappy |
high |
PHAR deserialization allowing remote code execution... |
<1.4.2 |
| Bikeplan.cz (Symfony) |
CVE-2021-32708 |
Packagist Security Advisories |
|
league/flysystem |
high |
TOCTOU Race Condition enabling remote code execution... |
<1.1.4|>=2.0.0,<2.1.1 |
| Bikeplan.cz (Symfony) |
CVE-2026-45034 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PHPSpreadsheet has a patch bypass for CVE-2026-34084 ... |
<=1.30.4 |
| Bikeplan.cz (Symfony) |
CVE-2026-40902 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Di... |
<=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-40863 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetM... |
<=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-34084 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled... |
<=1.30.2|>=2.0.0,<=2.1.14|>=2.2.0,<=2.4.3|>=3.3.0,<=3.10.3|>=4.0.0,<=5.5.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-40296 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses h... |
<=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-35453 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer... |
<=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0 |
| Bikeplan.cz (Symfony) |
CVE-2025-54370 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML d... |
<1.30.0|>=2.0.0,<2.1.0|>=2.1.0,<2.1.12|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=3.0.0,<3.10.0|>=4.0.0,<5.0.0 |
| Bikeplan.cz (Symfony) |
CVE-2025-23210 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol a... |
>=2.0.0,<2.1.8|>=2.2.0,<2.3.7|<1.29.9|>=3.0.0,<3.9.0 |
| Bikeplan.cz (Symfony) |
CVE-2025-22131 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in Php... |
>=2.2.0,<2.3.6|>=2.0.0,<2.1.7|<1.29.8|>=3.0.0,<3.8.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-56412 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and spe... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-56411 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink b... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-56410 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properti... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-56409 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-56366 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-56365 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downl... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-56408 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-48917 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XXE in PHPSpreadsheet's XLSX reader... |
>=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4 |
| Bikeplan.cz (Symfony) |
CVE-2024-47873 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XmlScanner bypass leads to XXE... |
>=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4 |
| Bikeplan.cz (Symfony) |
CVE-2024-45293 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XXE in PHPSpreadsheet's XLSX reader... |
>=2.0.0,<2.1.1|<1.29.1|>=2.2.0,<2.3.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-45292 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript ... |
>=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-45291 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in... |
>=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-45290 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery wh... |
>=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-45060 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file... |
>=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-45048 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XXE in PHPSpreadsheet encoding is returned... |
>=2.0.0,<2.1.1|>=2.2.0,<2.2.1|<1.29.1 |
| Bikeplan.cz (Symfony) |
CVE-2024-45046 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style infor... |
<1.29.1|>=2.0.0,<2.1.0 |
| Bikeplan.cz (Symfony) |
CVE-2020-7776 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XSS Vulnerability in HTML Writer... |
<1.16.0 |
| Bikeplan.cz (Symfony) |
CVE-2019-12331 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XXE Vulnerability... |
<1.8.0 |
| Bikeplan.cz (Symfony) |
CVE-2018-19277 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XXE Vulnerability... |
<=1.5.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-45073 |
Packagist Security Advisories |
|
symfony/cache |
high |
CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2019-18889 |
Packagist Security Advisories |
|
symfony/cache |
high |
CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances... |
>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.35|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8 |
| Bikeplan.cz (Symfony) |
CVE-2019-10912 |
Packagist Security Advisories |
|
symfony/cache |
high |
CVE-2019-10912: Prevent destructors with side-effects from being unserialized... |
>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Bikeplan.cz (Symfony) |
CVE-2019-10910 |
Packagist Security Advisories |
|
symfony/dependency-injection |
high |
CVE-2019-10910: Check service IDs are valid... |
>=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Bikeplan.cz (Symfony) |
CVE-2020-5274 |
Packagist Security Advisories |
|
symfony/error-handler |
high |
CVE-2020-5274: Fix Exception message escaping rendered by ErrorHandler... |
>=4.4.0,<4.4.4|>=5.0.0,<5.0.4 |
| Bikeplan.cz (Symfony) |
CVE-2018-19789 |
Packagist Security Advisories |
|
symfony/form |
high |
CVE-2018-19789: Temporary uploaded file path disclosure... |
>=2.7.38,<2.7.50|>=2.8.0,<2.8.49|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.20|>=4.0.0,<4.0.15|>=4.1.0,<4.1.9|>=4.2.0,<4.2.1 |
| Bikeplan.cz (Symfony) |
CVE-2017-16790 |
Packagist Security Advisories |
|
symfony/form |
high |
CVE-2017-16790: Ensure that submitted data are uploaded files... |
>=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13 |
| Bikeplan.cz (Symfony) |
CVE-2015-8125 |
Packagist Security Advisories |
|
symfony/form |
high |
CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember... |
>=2.3.0,<2.3.35|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.12|>=2.7.0,<2.7.7 |
| Bikeplan.cz (Symfony) |
CVE-2022-23601 |
Packagist Security Advisories |
|
symfony/framework-bundle |
high |
CVE-2022-23601: CSRF token missing in forms... |
>=5.3.14,<5.3.15|>=5.4.3,<5.4.4|>=6.0.3,<6.0.4 |
| Bikeplan.cz (Symfony) |
CVE-2019-10909 |
Packagist Security Advisories |
|
symfony/framework-bundle |
high |
CVE-2019-10909: Escape validation messages in the PHP templating engine... |
>=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Bikeplan.cz (Symfony) |
CVE-2014-4931 |
Packagist Security Advisories |
|
symfony/framework-bundle |
high |
Code injection in the way Symfony implements translation caching in FrameworkBun... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.18|>=2.4.0,<2.4.8|>=2.5.0,<2.5.2 |
| Bikeplan.cz (Symfony) |
CVE-2026-48736 |
Packagist Security Advisories |
|
symfony/http-client |
high |
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT6... |
>=5.4.0,<5.4.53 |
| Bikeplan.cz (Symfony) |
CVE-2024-50342 |
Packagist Security Advisories |
|
symfony/http-client |
high |
CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetwor... |
>=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8 |
| Bikeplan.cz (Symfony) |
CVE-2026-48736 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT6... |
>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13 |
| Bikeplan.cz (Symfony) |
CVE-2025-64500 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7 |
| Bikeplan.cz (Symfony) |
CVE-2024-50345 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2024-50345: Open redirect via browser-sanitized URLs... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Bikeplan.cz (Symfony) |
CVE-2020-5255 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header... |
>=4.4.0,<4.4.7|>=5.0.0,<5.0.7 |
| Bikeplan.cz (Symfony) |
CVE-2019-18888 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<2.8.52|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.35|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8 |
| Bikeplan.cz (Symfony) |
CVE-2019-10913 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2019-10913: Reject invalid HTTP method overrides... |
>=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Bikeplan.cz (Symfony) |
CVE-2018-14773 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2018-14773: Remove support for legacy and risky HTTP headers... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.49|>=2.8.0,<2.8.44|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.18|>=3.4.0,<3.4.14|>=4.0.0,<4.0.14|>=4.1.0,<4.1.3 |
| Bikeplan.cz (Symfony) |
CVE-2018-11386 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2018-11386: Denial of service when using PDOSessionHandler... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Bikeplan.cz (Symfony) |
CVE-2015-2309 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
Unsafe methods in the Request class... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.27|>=2.4.0,<2.5.0|>=2.5.0,<2.5.11|>=2.6.0,<2.6.6 |
| Bikeplan.cz (Symfony) |
CVE-2014-6061 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
Security issue when parsing the Authorization header... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4 |
| Bikeplan.cz (Symfony) |
CVE-2014-5244 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
Denial of service with a malicious HTTP Host header... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4 |
| Bikeplan.cz (Symfony) |
CVE-2013-4752 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
Request::getHost() poisoning... |
>=2.0.0,<2.0.24|>=2.1.0,<2.1.12|>=2.2.0,<2.2.5|>=2.3.0,<2.3.3 |
| Bikeplan.cz (Symfony) |
CVE-2012-6431 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
Routes behind a firewall are accessible even when not logged in... |
>=2.0.0,<2.0.19 |
| Bikeplan.cz (Symfony) |
CVE-2026-45075 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / ... |
>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2022-24894 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2022-24894: Prevent storing cookie headers in HttpCache... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2.0,<6.2.6 |
| Bikeplan.cz (Symfony) |
CVE-2021-41267 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request... |
>=5.2.0,<5.3.0|>=5.3.0,<5.3.12 |
| Bikeplan.cz (Symfony) |
CVE-2020-15094 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2020-15094: Prevent RCE when calling untrusted remote with CachingHttpClient... |
>=4.3.0,<4.4.0|>=4.4.0,<4.4.13|>=5.0.0,<5.1.0|>=5.1.0,<5.1.5 |
| Bikeplan.cz (Symfony) |
CVE-2019-18887 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2019-18887: Use constant time comparison in UriSigner... |
>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<2.8.52|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.35|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8 |
| Bikeplan.cz (Symfony) |
CVE-2015-4050 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2015-4050: ESI unauthorized access... |
>=2.3.19,<2.3.29|>=2.4.9,<2.5.0|>=2.5.4,<2.5.12|>=2.6.0,<2.6.8 |
| Bikeplan.cz (Symfony) |
CVE-2015-2308 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
Esi Code Injection... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.27|>=2.4.0,<2.5.0|>=2.5.0,<2.5.11|>=2.6.0,<2.6.6 |
| Bikeplan.cz (Symfony) |
CVE-2014-5245 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
Direct access of ESI URLs behind a trusted proxy... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4 |
| Bikeplan.cz (Symfony) |
CVE-2017-16654 |
Packagist Security Advisories |
|
symfony/intl |
high |
CVE-2017-16654: Intl bundle readers breaking out of paths... |
>=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13 |
| Bikeplan.cz (Symfony) |
CVE-2026-45068 |
Packagist Security Advisories |
|
symfony/mailer |
high |
CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipi... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2026-45070 |
Packagist Security Advisories |
|
symfony/mime |
high |
CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Paramete... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2026-45067 |
Packagist Security Advisories |
|
symfony/mime |
high |
CVE-2026-45067: Email Header / SMTP Command Injection via CRLF in Symfony\Compon... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2019-18888 |
Packagist Security Advisories |
|
symfony/mime |
high |
CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser... |
>=4.3.0,<4.3.8 |
| Bikeplan.cz (Symfony) |
CVE-2026-45077 |
Packagist Security Advisories |
|
symfony/monolog-bridge |
high |
CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge serv... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2026-46644 |
Packagist Security Advisories |
|
symfony/polyfill-intl-idn |
high |
CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode pay... |
>=1.17.1,<1.38.1 |
| Bikeplan.cz (Symfony) |
CVE-2026-24739 |
Packagist Security Advisories |
|
symfony/process |
high |
Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructi... |
>=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51 |
| Bikeplan.cz (Symfony) |
CVE-2024-51736 |
Packagist Security Advisories |
|
symfony/process |
high |
CVE-2024-51736: Command execution hijack on Windows with Process class... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Bikeplan.cz (Symfony) |
CVE-2026-48784 |
Packagist Security Advisories |
|
symfony/routing |
high |
CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.53|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13 |
| Bikeplan.cz (Symfony) |
CVE-2026-45065 |
Packagist Security Advisories |
|
symfony/routing |
high |
CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alter... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2012-6431 |
Packagist Security Advisories |
|
symfony/routing |
high |
Routes behind a firewall are accessible even when not logged in... |
>=2.0.0,<2.0.19 |
| Bikeplan.cz (Symfony) |
CVE-2024-50341 |
Packagist Security Advisories |
|
symfony/security-bundle |
high |
CVE-2024-50341: Security::login does not take into account custom user_checker... |
>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.10|>=7.0.0,<7.0.10|>=7.1.0,<7.1.3 |
| Bikeplan.cz (Symfony) |
CVE-2022-24895 |
Packagist Security Advisories |
|
symfony/security-bundle |
high |
CVE-2022-24895: Possible CSRF token fixation... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2.0,<6.2.6 |
| Bikeplan.cz (Symfony) |
CVE-2021-41268 |
Packagist Security Advisories |
|
symfony/security-bundle |
high |
CVE-2021-41268: Remember me cookie persistance after password changes... |
>=5.3.0,<5.3.12 |
| Bikeplan.cz (Symfony) |
CVE-2018-11406 |
Packagist Security Advisories |
|
symfony/security-bundle |
high |
CVE-2018-11406: CSRF Token Fixation... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Bikeplan.cz (Symfony) |
CVE-2018-11408 |
Packagist Security Advisories |
|
symfony/security-bundle |
high |
CVE-2018-11408: Open redirect vulnerability on security handlers... |
>=2.7.38,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Bikeplan.cz (Symfony) |
CVE-2021-21424 |
Packagist Security Advisories |
|
symfony/security-core |
high |
CVE-2021-21424: Prevent user enumeration via response content in authentication ... |
>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.49|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.24|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.2.9 |
| Bikeplan.cz (Symfony) |
CVE-2018-11407 |
Packagist Security Advisories |
|
symfony/security-core |
high |
CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an... |
>=2.8.0,<2.8.37|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.7|>=4.0.0,<4.0.7 |
| Bikeplan.cz (Symfony) |
CVE-2017-11365 |
Packagist Security Advisories |
|
symfony/security-core |
high |
CVE-2017-11365: Empty passwords validation issue... |
>=2.7.30,<2.7.32|>=2.8.23,<2.8.25|>=3.2.10,<3.2.12|>=3.3.3,<3.3.5 |
| Bikeplan.cz (Symfony) |
CVE-2016-2403 |
Packagist Security Advisories |
|
symfony/security-core |
high |
CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an ... |
>=2.8.0,<2.8.6|>=3.0.0,<3.0.6 |
| Bikeplan.cz (Symfony) |
CVE-2016-1902 |
Packagist Security Advisories |
|
symfony/security-core |
high |
CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails ... |
>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.13|>=2.7.0,<2.7.9 |
| Bikeplan.cz (Symfony) |
CVE-2018-11406 |
Packagist Security Advisories |
|
symfony/security-csrf |
high |
CVE-2018-11406: CSRF Token Fixation... |
>=2.4.0,<2.7.48|>=2.5.0,<2.7.48|>=2.6.0,<2.7.48|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Bikeplan.cz (Symfony) |
CVE-2017-16653 |
Packagist Security Advisories |
|
symfony/security-csrf |
high |
CVE-2017-16653: CSRF protection does not use different tokens for HTTP and HTTPS... |
>=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13 |
| Bikeplan.cz (Symfony) |
CVE-2026-48489 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthe... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.53|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13 |
| Bikeplan.cz (Symfony) |
CVE-2026-45069 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims... |
>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2026-45063 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2026-45074 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header → Cr... |
>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2026-45075 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / ... |
>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2024-51996 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie... |
>=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8 |
| Bikeplan.cz (Symfony) |
CVE-2023-46733 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2023-46733: Possible session fixation... |
>=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.3.8 |
| Bikeplan.cz (Symfony) |
CVE-2021-32693 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2021-32693: Authentication granted to all firewalls instead of just one... |
>=5.3.0,<5.3.2 |
| Bikeplan.cz (Symfony) |
CVE-2021-21424 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2021-21424: Prevent user enumeration via response content in authentication ... |
>=5.1.0,<5.2.0|>=5.2.0,<5.2.8 |
| Bikeplan.cz (Symfony) |
CVE-2020-5275 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2020-5275: All rules set in "access_control" are required when the firewall ... |
>=4.4.0,<4.4.7|>=5.0.0,<5.0.7 |
| Bikeplan.cz (Symfony) |
CVE-2019-18886 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2019-18886: Prevent user enumeration using switch user functionality... |
>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8 |
| Bikeplan.cz (Symfony) |
CVE-2019-10911 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2019-10911: Add a separator in the remember me cookie hash... |
>=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Bikeplan.cz (Symfony) |
CVE-2018-19790 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2018-19790: Open Redirect Vulnerability on login... |
>=2.7.38,<2.7.50|>=2.8.0,<2.8.49|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.20|>=4.0.0,<4.0.15|>=4.1.0,<4.1.9|>=4.2.0,<4.2.1 |
| Bikeplan.cz (Symfony) |
CVE-2018-11406 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2018-11406: CSRF Token Fixation... |
>=2.4.0,<2.7.48|>=2.5.0,<2.7.48|>=2.6.0,<2.7.48|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Bikeplan.cz (Symfony) |
CVE-2018-11385 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2018-11385: Session Fixation Issue for Guard Authentication... |
>=2.4.0,<2.7.48|>=2.5.0,<2.7.48|>=2.6.0,<2.7.48|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Bikeplan.cz (Symfony) |
CVE-2017-16652 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2017-16652: Open redirect vulnerability on security handlers... |
>=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13 |
| Bikeplan.cz (Symfony) |
CVE-2016-4423 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2016-4423: Large username storage in session... |
>=2.3.0,<2.3.41|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.13|>=2.8.0,<2.8.6|>=3.0.0,<3.0.6 |
| Bikeplan.cz (Symfony) |
CVE-2015-8124 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature... |
>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.12|>=2.7.0,<2.7.7 |
| Bikeplan.cz (Symfony) |
CVE-2015-8125 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember... |
>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.12|>=2.7.0,<2.7.7 |
| Bikeplan.cz (Symfony) |
CVE-2021-41270 |
Packagist Security Advisories |
|
symfony/serializer |
high |
CVE-2021-41270: Prevent CSV Injection via formulas... |
>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.35|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.3.12 |
| Bikeplan.cz (Symfony) |
CVE-2026-45072 |
Packagist Security Advisories |
|
symfony/twig-bridge |
high |
CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescape... |
>=6.4.24,<6.4.40 |
| Bikeplan.cz (Symfony) |
CVE-2023-46734 |
Packagist Security Advisories |
|
symfony/twig-bridge |
high |
CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.51|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.3.8 |
| Bikeplan.cz (Symfony) |
CVE-2024-50343 |
Packagist Security Advisories |
|
symfony/validator |
high |
CVE-2024-50343: Incorrect response from Validator when input ends with `
`... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4 |
| Bikeplan.cz (Symfony) |
CVE-2013-4751 |
Packagist Security Advisories |
|
symfony/validator |
high |
Validation metadata serialization and loss of information... |
>=2.0.0,<2.0.24|>=2.1.0,<2.1.12|>=2.2.0,<2.2.5|>=2.3.0,<2.3.3 |
| Bikeplan.cz (Symfony) |
CVE-2019-11325 |
Packagist Security Advisories |
|
symfony/var-exporter |
high |
CVE-2019-11325: Fix escaping of strings in VarExporter... |
>=4.2.0,<4.2.12|>=4.3.0,<4.3.8 |
| Bikeplan.cz (Symfony) |
CVE-2026-45304 |
Packagist Security Advisories |
|
symfony/yaml |
high |
CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collecti... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2026-45305 |
Packagist Security Advisories |
|
symfony/yaml |
high |
CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::clean... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2026-45133 |
Packagist Security Advisories |
|
symfony/yaml |
high |
CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested B... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2013-1397 |
Packagist Security Advisories |
|
symfony/yaml |
high |
Ability to enable/disable object support in YAML parsing and dumping... |
>=2.0.0,<2.0.22|>=2.1.0,<2.1.7 |
| Bikeplan.cz (Symfony) |
CVE-2013-1348 |
Packagist Security Advisories |
|
symfony/yaml |
high |
Ability to enable/disable PHP parsing in Yaml::parse()... |
>=2.0.0,<2.0.22 |
| Bikeplan.cz (Symfony) |
CVE-2026-48808 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInt... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-48805 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-46636 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox filter, tag and function allow-list bypass when sandbox state changes be... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-48806 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox `__toString()` policy bypass via dynamic mapping keys... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-48807 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-46640 |
Packagist Security Advisories |
|
twig/twig |
high |
Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation... |
>=3.15.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-46628 |
Packagist Security Advisories |
|
twig/twig |
high |
The `spaceless` filter implicitly marks its output as safe... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-46633 |
Packagist Security Advisories |
|
twig/twig |
high |
PHP code injection via `{% use %}` template name... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-47730 |
Packagist Security Advisories |
|
twig/twig |
high |
XSS in profiler HtmlDumper via unescaped template and profile names... |
>=3.0.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-46639 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox property and method bypass via object-destructuring assignment... |
>=3.24.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-46627 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox does not protect against resource exhaustion... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-46635 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox property allowlist bypass via the `column` filter (array_column on objec... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-46638 |
Packagist Security Advisories |
|
twig/twig |
high |
`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomple... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-24425 |
Packagist Security Advisories |
|
twig/twig |
high |
Possible sandbox bypass when using a source policy... |
>=2.16.0,<3.0.0|>=3.9.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-47732 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion p... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-46634 |
Packagist Security Advisories |
|
twig/twig |
high |
`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized t... |
>=3.9.0,<3.26.0 |
| Bikeplan.cz (Symfony) |
CVE-2025-24374 |
Packagist Security Advisories |
|
twig/twig |
high |
Missing output escaping for the null coalesce operator... |
>=3.16.0,<3.19.0 |
| Bikeplan.cz (Symfony) |
CVE-2024-51754 |
Packagist Security Advisories |
|
twig/twig |
high |
Unguarded calls to __toString() when nesting an object into an array... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1 |
| Bikeplan.cz (Symfony) |
CVE-2024-51755 |
Packagist Security Advisories |
|
twig/twig |
high |
Unguarded calls to __isset() and to array-accesses when the sandbox is enabled... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1 |
| Bikeplan.cz (Symfony) |
CVE-2024-45411 |
Packagist Security Advisories |
|
twig/twig |
high |
Possible sandbox bypass... |
>=1.0.0,<1.44.7|>=2.0.0,<2.16.0|>=3.0.0,<3.11.0|>=3.12.0,<3.14.0 |
| Bikeplan.cz (Symfony) |
CVE-2022-39261 |
Packagist Security Advisories |
|
twig/twig |
high |
Possibility to load a template outside a configured directory when using the fil... |
>=1.0.0,<1.44.7|>=2.0.0,<2.15.3|>=3.0.0,<3.4.3 |
| Bikeplan.cz (Symfony) |
CVE-2022-23614 |
Packagist Security Advisories |
|
twig/twig |
high |
Disallow non closures in the sort filter... |
>=2.0.0,<2.14.11|>=3.0.0,<3.3.8 |
| Bikeplan.cz (Symfony) |
CVE-2019-9942 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox Information Disclosure... |
<1.38.0|>=2.0.0,<2.7.0 |
| Bikeplan.cz (Symfony) |
CVE-2015-7809 |
Packagist Security Advisories |
|
twig/twig |
high |
Remote code execution in templates... |
<1.20.0 |
| Bikeplan.cz (Symfony) |
CVE-2026-45071 |
Packagist Security Advisories |
|
symfony/dom-crawler |
high |
CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via v... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2021-21424 |
Packagist Security Advisories |
|
symfony/maker-bundle |
high |
CVE-2021-21424: Prevent user enumeration via response content in authentication ... |
>=1.27.0,<1.28.0|>=1.28.0,<1.29.0|>=1.29.0,<1.29.2|>=1.30.0,<1.31.0|>=1.31.0,<1.31.1 |
| Bikeplan.cz (Symfony) |
CVE-2019-10912 |
Packagist Security Advisories |
|
symfony/phpunit-bridge |
high |
CVE-2019-10912: Prevent destructors with side-effects from being unserialized... |
>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Bikeplan.cz (Symfony) |
CVE-2026-45072 |
Packagist Security Advisories |
|
symfony/web-profiler-bundle |
high |
CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescape... |
>=7.2.9,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Bikeplan.cz (Symfony) |
CVE-2014-6072 |
Packagist Security Advisories |
|
symfony/web-profiler-bundle |
high |
CSRF vulnerability in the Web Profiler... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4 |
| Bikeplan.cz (Symfony) |
CVE-2026-5773 |
Trivy image |
debian |
curl |
high |
curl: libcurl: Wrong file transfer due to incorrect SMB connection reuse... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-6276 |
Trivy image |
debian |
curl |
high |
curl: libcurl: Information disclosure due to cookie leak when reusing connection... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-5773 |
Trivy image |
debian |
libcurl4t64 |
high |
curl: libcurl: Wrong file transfer due to incorrect SMB connection reuse... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-6276 |
Trivy image |
debian |
libcurl4t64 |
high |
curl: libcurl: Information disclosure due to cookie leak when reusing connection... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-42497 |
Trivy image |
debian |
libperl5.40 |
high |
Archive::Tar versions before 3.08 for Perl extract hardlinks to attack ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-48959 |
Trivy image |
debian |
libperl5.40 |
high |
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaust ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-48962 |
Trivy image |
debian |
libperl5.40 |
high |
perl-IO-Compress: perl-IO-Compress: Arbitrary code execution via attacker-contro... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-9538 |
Trivy image |
debian |
libperl5.40 |
high |
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-7598 |
Trivy image |
debian |
libssh2-1t64 |
high |
libssh2: integer overflow via large username or password arguments... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-45447 |
Trivy image |
debian |
libssl3t64 |
high |
[Heap Use-After-Free in the PKCS7_verify() Function]... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-69720 |
Trivy image |
debian |
libtinfo6 |
high |
ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execu... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2013-7445 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: memory exhaustion via crafted Graphics Execution Manager (GEM) objects... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2019-19449 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: mounting a crafted f2fs filesystem image can lead to slab-out-of-bounds ... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2019-19814 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: out-of-bounds write in __remove_dirty_segment in fs/f2fs/segment.c... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2021-3847 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: low-privileged user privileges escalation... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2021-3864 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: descendant's dumpable setting with certain SUID binaries... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2024-21803 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: bluetooth: use-after-free vulnerability in af_bluetooth.c... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2024-58015 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: wifi: ath12k: Fix for out-of bound access error... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2024-58093 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: Linux kernel: PCI/ASPM use-after-free during hot-unplug... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-22104 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: ibmvnic: Use kernel helpers for hex dumps... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-38137 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: PCI/pwrctrl: Cancel outstanding rescan work when unregistering... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-38187 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push()... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-38204 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: jfs: fix array-index-out-of-bounds read in add_missing_indices... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-38206 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: Kernel: Double free vulnerability in exFAT filesystem can lead to denial... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-38421 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: platform/x86/amd: pmf: Use device managed allocations... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-38636 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: rv: Use strings in da monitors tracepoints... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-39859 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-39862 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: wifi: mt76: mt7915: fix list corruption after hardware restart... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-39958 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: iommu/s390: Make attach succeed when the device was surprise removed... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-23102 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: Linux kernel: Denial of Service due to incorrect SVE context restoration... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-23208 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: ALSA: usb-audio: Prevent excessive number of frames... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-23327 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: cxl/mbox: validate payload size before accessing contents in cxl_payload... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-31493 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: RDMA/efa: Fix use of completion ctx after free... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-31536 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: smb: server: let send_done handle a completion without IB_SEND_SIGNALED... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-31568 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: s390/mm: Add missing secure storage access fixups for donated memory... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-31663 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: xfrm: hold dev ref until after transport_finish NF_HOOK... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-31688 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: driver core: enforce device_lock for driver_match_device()... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-43198 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: tcp: fix potential race in tcp_v6_syn_recv_sock()... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-45932 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: bpf: Fix tcx/netkit detach permissions when prog fd isn't given... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-46054 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: selinux: fix overlayfs mmap() and mprotect() access checks... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-46117 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-46181 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-46244 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: netfilter: nft_inner: Fix IPv6 inner_thoff desync... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-69720 |
Trivy image |
debian |
ncurses-base |
high |
ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execu... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2025-69720 |
Trivy image |
debian |
ncurses-bin |
high |
ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execu... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-45447 |
Trivy image |
debian |
openssl |
high |
[Heap Use-After-Free in the PKCS7_verify() Function]... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-45447 |
Trivy image |
debian |
openssl-provider-legacy |
high |
[Heap Use-After-Free in the PKCS7_verify() Function]... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-42497 |
Trivy image |
debian |
perl |
high |
Archive::Tar versions before 3.08 for Perl extract hardlinks to attack ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-48959 |
Trivy image |
debian |
perl |
high |
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaust ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-48962 |
Trivy image |
debian |
perl |
high |
perl-IO-Compress: perl-IO-Compress: Arbitrary code execution via attacker-contro... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-9538 |
Trivy image |
debian |
perl |
high |
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-42497 |
Trivy image |
debian |
perl-base |
high |
Archive::Tar versions before 3.08 for Perl extract hardlinks to attack ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-48959 |
Trivy image |
debian |
perl-base |
high |
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaust ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-48962 |
Trivy image |
debian |
perl-base |
high |
perl-IO-Compress: perl-IO-Compress: Arbitrary code execution via attacker-contro... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-9538 |
Trivy image |
debian |
perl-base |
high |
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-42497 |
Trivy image |
debian |
perl-modules-5.40 |
high |
Archive::Tar versions before 3.08 for Perl extract hardlinks to attack ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-48959 |
Trivy image |
debian |
perl-modules-5.40 |
high |
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaust ...... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-48962 |
Trivy image |
debian |
perl-modules-5.40 |
high |
perl-IO-Compress: perl-IO-Compress: Arbitrary code execution via attacker-contro... |
N/A |
| Bikeplan.cz (Symfony) |
CVE-2026-9538 |
Trivy image |
debian |
perl-modules-5.40 |
high |
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...... |
N/A |
| Bikeplan.cz (Symfony) |
DOCKERFILE-ROOT-USER |
Dockerfile static checks |
|
dockerfile |
high |
Container runs as root user... |
N/A |
| CSAT Project (Survey Tool) |
CVE-2025-69421 |
Trivy image |
alpine |
libcrypto3 |
high |
openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing... |
3.5.5-r0 |
| CSAT Project (Survey Tool) |
CVE-2026-28387 |
Trivy image |
alpine |
libcrypto3 |
high |
openssl: OpenSSL: Arbitrary code execution due to use-after-free in DANE TLSA au... |
3.5.6-r0 |
| CSAT Project (Survey Tool) |
CVE-2026-28388 |
Trivy image |
alpine |
libcrypto3 |
high |
openssl: OpenSSL: Denial of Service due to NULL pointer dereference in delta CRL... |
3.5.6-r0 |
| CSAT Project (Survey Tool) |
CVE-2026-28389 |
Trivy image |
alpine |
libcrypto3 |
high |
openssl: OpenSSL: Denial of Service vulnerability in CMS processing... |
3.5.6-r0 |
| CSAT Project (Survey Tool) |
CVE-2026-28390 |
Trivy image |
alpine |
libcrypto3 |
high |
openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS Envel... |
3.5.6-r0 |
| CSAT Project (Survey Tool) |
CVE-2025-69421 |
Trivy image |
alpine |
libssl3 |
high |
openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing... |
3.5.5-r0 |
| CSAT Project (Survey Tool) |
CVE-2026-28387 |
Trivy image |
alpine |
libssl3 |
high |
openssl: OpenSSL: Arbitrary code execution due to use-after-free in DANE TLSA au... |
3.5.6-r0 |
| CSAT Project (Survey Tool) |
CVE-2026-28388 |
Trivy image |
alpine |
libssl3 |
high |
openssl: OpenSSL: Denial of Service due to NULL pointer dereference in delta CRL... |
3.5.6-r0 |
| CSAT Project (Survey Tool) |
CVE-2026-28389 |
Trivy image |
alpine |
libssl3 |
high |
openssl: OpenSSL: Denial of Service vulnerability in CMS processing... |
3.5.6-r0 |
| CSAT Project (Survey Tool) |
CVE-2026-28390 |
Trivy image |
alpine |
libssl3 |
high |
openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS Envel... |
3.5.6-r0 |
| CSAT Project (Survey Tool) |
CVE-2026-40200 |
Trivy image |
alpine |
musl |
high |
musl: musl libc: Arbitrary code execution and denial of service via stack-based ... |
1.2.5-r12 |
| CSAT Project (Survey Tool) |
CVE-2026-40200 |
Trivy image |
alpine |
musl-utils |
high |
musl: musl libc: Arbitrary code execution and denial of service via stack-based ... |
1.2.5-r12 |
| CSAT Project (Survey Tool) |
CVE-2024-21538 |
Trivy image |
node-pkg |
cross-spawn |
high |
cross-spawn: regular expression denial of service... |
7.0.5, 6.0.6 |
| CSAT Project (Survey Tool) |
CVE-2025-64756 |
Trivy image |
node-pkg |
glob |
high |
glob: glob: Command Injection Vulnerability via Malicious Filenames... |
11.1.0, 10.5.0 |
| CSAT Project (Survey Tool) |
CVE-2026-26996 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service via specially crafted glob patterns... |
10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 |
| CSAT Project (Survey Tool) |
CVE-2026-27903 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service due to unbounded recursive backtracking ... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 |
| CSAT Project (Survey Tool) |
CVE-2026-27904 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob ex... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 |
| CSAT Project (Survey Tool) |
CVE-2026-23745 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsa... |
7.5.3 |
| CSAT Project (Survey Tool) |
CVE-2026-23950 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision rac... |
7.5.4 |
| CSAT Project (Survey Tool) |
CVE-2026-24842 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in ha... |
7.5.7 |
| CSAT Project (Survey Tool) |
CVE-2026-26960 |
Trivy image |
node-pkg |
tar |
high |
node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink cre... |
7.5.8 |
| CSAT Project (Survey Tool) |
CVE-2026-29786 |
Trivy image |
node-pkg |
tar |
high |
node-tar: hardlink path traversal via drive-relative linkpath... |
7.5.10 |
| CSAT Project (Survey Tool) |
CVE-2026-31802 |
Trivy image |
node-pkg |
tar |
high |
tar: tar: File overwrite via drive-relative symlink traversal... |
7.5.11 |
| CSAT Project (Survey Tool) |
DOCKERFILE-ROOT-USER |
Dockerfile static checks |
|
dockerfile |
high |
Container runs as root user... |
N/A |
| CSAT Project (Survey Tool) |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |
| CSAT pro KS |
CVE-2024-21538 |
Trivy image |
node-pkg |
cross-spawn |
high |
cross-spawn: regular expression denial of service... |
7.0.5, 6.0.6 |
| CSAT pro KS |
CVE-2025-64756 |
Trivy image |
node-pkg |
glob |
high |
glob: glob: Command Injection Vulnerability via Malicious Filenames... |
11.1.0, 10.5.0 |
| CSAT pro KS |
CVE-2026-26996 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service via specially crafted glob patterns... |
10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 |
| CSAT pro KS |
CVE-2026-27903 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service due to unbounded recursive backtracking ... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 |
| CSAT pro KS |
CVE-2026-27904 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob ex... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 |
| CSAT pro KS |
CVE-2026-23745 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsa... |
7.5.3 |
| CSAT pro KS |
CVE-2026-23950 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision rac... |
7.5.4 |
| CSAT pro KS |
CVE-2026-24842 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in ha... |
7.5.7 |
| CSAT pro KS |
CVE-2026-26960 |
Trivy image |
node-pkg |
tar |
high |
node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink cre... |
7.5.8 |
| CSAT pro KS |
CVE-2026-29786 |
Trivy image |
node-pkg |
tar |
high |
node-tar: hardlink path traversal via drive-relative linkpath... |
7.5.10 |
| CSAT pro KS |
CVE-2026-31802 |
Trivy image |
node-pkg |
tar |
high |
tar: tar: File overwrite via drive-relative symlink traversal... |
7.5.11 |
| CSAT pro KS |
DOCKERFILE-ROOT-USER |
Dockerfile static checks |
|
dockerfile |
high |
Container runs as root user... |
N/A |
| CSAT pro KS |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |
| Car KK |
CVE-2026-33671 |
Trivy image |
node-pkg |
picomatch |
high |
picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob p... |
4.0.4, 3.0.2, 2.3.2 |
| Car KK |
DOCKERFILE-ROOT-USER |
Dockerfile static checks |
|
dockerfile |
high |
Container runs as root user... |
N/A |
| Car KK |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |
| FQ Majetek |
CVE-2023-5363 |
Trivy image |
alpine |
libcrypto3 |
high |
openssl: Incorrect cipher key and IV length processing... |
3.0.12-r0 |
| FQ Majetek |
CVE-2024-6119 |
Trivy image |
alpine |
libcrypto3 |
high |
openssl: Possible denial of service in X.509 name checks... |
3.0.15-r0 |
| FQ Majetek |
CVE-2025-69421 |
Trivy image |
alpine |
libcrypto3 |
high |
openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing... |
3.0.19-r0 |
| FQ Majetek |
CVE-2023-5363 |
Trivy image |
alpine |
libssl3 |
high |
openssl: Incorrect cipher key and IV length processing... |
3.0.12-r0 |
| FQ Majetek |
CVE-2024-6119 |
Trivy image |
alpine |
libssl3 |
high |
openssl: Possible denial of service in X.509 name checks... |
3.0.15-r0 |
| FQ Majetek |
CVE-2025-69421 |
Trivy image |
alpine |
libssl3 |
high |
openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing... |
3.0.19-r0 |
| FQ Majetek |
CVE-2025-26519 |
Trivy image |
alpine |
musl |
high |
musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write ...... |
1.2.3-r6 |
| FQ Majetek |
CVE-2025-26519 |
Trivy image |
alpine |
musl-utils |
high |
musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write ...... |
1.2.3-r6 |
| FQ Majetek |
CVE-2021-3807 |
Trivy image |
node-pkg |
ansi-regex |
high |
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI es... |
6.0.1, 5.0.1, 4.1.1, 3.0.1 |
| FQ Majetek |
CVE-2021-3807 |
Trivy image |
node-pkg |
ansi-regex |
high |
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI es... |
6.0.1, 5.0.1, 4.1.1, 3.0.1 |
| FQ Majetek |
CVE-2024-21538 |
Trivy image |
node-pkg |
cross-spawn |
high |
cross-spawn: regular expression denial of service... |
7.0.5, 6.0.6 |
| FQ Majetek |
CVE-2022-25881 |
Trivy image |
node-pkg |
http-cache-semantics |
high |
http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability... |
4.1.1 |
| FQ Majetek |
CVE-2024-29415 |
Trivy image |
node-pkg |
ip |
high |
node-ip: Incomplete fix for CVE-2023-42282... |
N/A |
| FQ Majetek |
CVE-2026-26996 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service via specially crafted glob patterns... |
10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 |
| FQ Majetek |
CVE-2026-26996 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service via specially crafted glob patterns... |
10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 |
| FQ Majetek |
CVE-2026-27903 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service due to unbounded recursive backtracking ... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 |
| FQ Majetek |
CVE-2026-27903 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service due to unbounded recursive backtracking ... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 |
| FQ Majetek |
CVE-2026-27904 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob ex... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 |
| FQ Majetek |
CVE-2026-27904 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob ex... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 |
| FQ Majetek |
CVE-2022-25883 |
Trivy image |
node-pkg |
semver |
high |
nodejs-semver: Regular expression denial of service... |
7.5.2, 6.3.1, 5.7.2 |
| FQ Majetek |
CVE-2026-23745 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsa... |
7.5.3 |
| FQ Majetek |
CVE-2026-23950 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision rac... |
7.5.4 |
| FQ Majetek |
CVE-2026-24842 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in ha... |
7.5.7 |
| FQ Majetek |
CVE-2026-26960 |
Trivy image |
node-pkg |
tar |
high |
node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink cre... |
7.5.8 |
| FQ Majetek |
CVE-2026-29786 |
Trivy image |
node-pkg |
tar |
high |
node-tar: hardlink path traversal via drive-relative linkpath... |
7.5.10 |
| FQ Majetek |
CVE-2026-31802 |
Trivy image |
node-pkg |
tar |
high |
tar: tar: File overwrite via drive-relative symlink traversal... |
7.5.11 |
| FQ Majetek |
DOCKERFILE-ROOT-USER |
Dockerfile static checks |
|
dockerfile |
high |
Container runs as root user... |
N/A |
| FQ Majetek |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |
| Golf (Symfony) |
CVE-2015-5723 |
Packagist Security Advisories |
|
doctrine/common |
high |
Security Misconfiguration Vulnerability in various Doctrine projects... |
>=2.0.0,<2.4.3|>=2.5.0,<2.5.1 |
| Golf (Symfony) |
CVE-2021-43608 |
Packagist Security Advisories |
|
doctrine/dbal |
high |
SQL Injection in Limit Clause Generation API... |
>=3.0.0,<3.0.99|>=3.1.0,<3.1.4 |
| Golf (Symfony) |
CVE-2015-5723 |
Packagist Security Advisories |
|
doctrine/doctrine-bundle |
high |
Security Misconfiguration Vulnerability in various Doctrine projects... |
<1.5.2 |
| Golf (Symfony) |
CVE-2015-5723 |
Packagist Security Advisories |
|
doctrine/orm |
high |
Security Misconfiguration Vulnerability in various Doctrine projects... |
>=2.0.0,<2.4.8|>=2.5.0,<2.5.1 |
| Golf (Symfony) |
CVE-2022-31091 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
Change in port should be considered a change in origin... |
>=7,<7.4.5|>=4,<6.5.8 |
| Golf (Symfony) |
CVE-2022-31090 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
CURLOPT_HTTPAUTH option not cleared on change of origin... |
>=7,<7.4.5|>=4,<6.5.8 |
| Golf (Symfony) |
CVE-2022-31043 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
Fix failure to strip Authorization header on HTTP downgrade... |
>=7,<7.4.4|>=4,<6.5.7 |
| Golf (Symfony) |
CVE-2022-31042 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
Failure to strip the Cookie header on change in host or HTTP downgrade... |
>=7,<7.4.4|>=4,<6.5.7 |
| Golf (Symfony) |
CVE-2022-29248 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
Cross-domain cookie leakage... |
>=7,<7.4.3|>=4,<6.5.6 |
| Golf (Symfony) |
CVE-2016-5385 |
Packagist Security Advisories |
|
guzzlehttp/guzzle |
high |
HTTP Proxy header vulnerability... |
>=6,<6.2.1|>=4.0.0-rc2,<4.2.4|>=5,<5.3.1 |
| Golf (Symfony) |
CVE-2023-29197 |
Packagist Security Advisories |
|
guzzlehttp/psr7 |
high |
Improper header validation... |
>=2,<2.4.5|<1.9.1 |
| Golf (Symfony) |
CVE-2022-24775 |
Packagist Security Advisories |
|
guzzlehttp/psr7 |
high |
Inproper parsing of HTTP headers... |
>=2,<2.1.1|<1.8.4 |
| Golf (Symfony) |
CVE-2026-46643 |
Packagist Security Advisories |
|
knplabs/knp-snappy |
high |
Snappy: Binary path is never shell-escaped due to an inverted is_executable chec... |
<=1.7.0 |
| Golf (Symfony) |
CVE-2026-46683 |
Packagist Security Advisories |
|
knplabs/knp-snappy |
high |
Snappy : SSRF and local file read via the xsl-style-sheet option... |
<=1.6.0 |
| Golf (Symfony) |
CVE-2023-41330 |
Packagist Security Advisories |
|
knplabs/knp-snappy |
high |
Snappy PHAR deserialization vulnerability... |
<=1.4.2 |
| Golf (Symfony) |
CVE-2023-28115 |
Packagist Security Advisories |
|
knplabs/knp-snappy |
high |
PHAR deserialization allowing remote code execution... |
<1.4.2 |
| Golf (Symfony) |
CVE-2026-45034 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PHPSpreadsheet has a patch bypass for CVE-2026-34084 ... |
<=1.30.4 |
| Golf (Symfony) |
CVE-2026-40902 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Di... |
<=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0 |
| Golf (Symfony) |
CVE-2026-40863 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetM... |
<=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0 |
| Golf (Symfony) |
CVE-2026-34084 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled... |
<=1.30.2|>=2.0.0,<=2.1.14|>=2.2.0,<=2.4.3|>=3.3.0,<=3.10.3|>=4.0.0,<=5.5.0 |
| Golf (Symfony) |
CVE-2026-40296 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses h... |
<=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0 |
| Golf (Symfony) |
CVE-2026-35453 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer... |
<=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0 |
| Golf (Symfony) |
CVE-2025-54370 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML d... |
<1.30.0|>=2.0.0,<2.1.0|>=2.1.0,<2.1.12|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=3.0.0,<3.10.0|>=4.0.0,<5.0.0 |
| Golf (Symfony) |
CVE-2025-23210 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol a... |
>=2.0.0,<2.1.8|>=2.2.0,<2.3.7|<1.29.9|>=3.0.0,<3.9.0 |
| Golf (Symfony) |
CVE-2025-22131 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in Php... |
>=2.2.0,<2.3.6|>=2.0.0,<2.1.7|<1.29.8|>=3.0.0,<3.8.0 |
| Golf (Symfony) |
CVE-2024-56412 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and spe... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Golf (Symfony) |
CVE-2024-56411 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink b... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Golf (Symfony) |
CVE-2024-56410 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properti... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Golf (Symfony) |
CVE-2024-56409 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Golf (Symfony) |
CVE-2024-56366 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Golf (Symfony) |
CVE-2024-56365 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downl... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Golf (Symfony) |
CVE-2024-56408 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file... |
>=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Golf (Symfony) |
CVE-2024-48917 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XXE in PHPSpreadsheet's XLSX reader... |
>=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4 |
| Golf (Symfony) |
CVE-2024-47873 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XmlScanner bypass leads to XXE... |
>=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4 |
| Golf (Symfony) |
CVE-2024-45293 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XXE in PHPSpreadsheet's XLSX reader... |
>=2.0.0,<2.1.1|<1.29.1|>=2.2.0,<2.3.0 |
| Golf (Symfony) |
CVE-2024-45292 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript ... |
>=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Golf (Symfony) |
CVE-2024-45291 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in... |
>=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Golf (Symfony) |
CVE-2024-45290 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery wh... |
>=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Golf (Symfony) |
CVE-2024-45060 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file... |
>=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Golf (Symfony) |
CVE-2024-45048 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XXE in PHPSpreadsheet encoding is returned... |
>=2.0.0,<2.1.1|>=2.2.0,<2.2.1|<1.29.1 |
| Golf (Symfony) |
CVE-2024-45046 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style infor... |
<1.29.1|>=2.0.0,<2.1.0 |
| Golf (Symfony) |
CVE-2020-7776 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XSS Vulnerability in HTML Writer... |
<1.16.0 |
| Golf (Symfony) |
CVE-2019-12331 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XXE Vulnerability... |
<1.8.0 |
| Golf (Symfony) |
CVE-2018-19277 |
Packagist Security Advisories |
|
phpoffice/phpspreadsheet |
high |
XXE Vulnerability... |
<=1.5.0 |
| Golf (Symfony) |
CVE-2026-45073 |
Packagist Security Advisories |
|
symfony/cache |
high |
CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2019-18889 |
Packagist Security Advisories |
|
symfony/cache |
high |
CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances... |
>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.35|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8 |
| Golf (Symfony) |
CVE-2019-10912 |
Packagist Security Advisories |
|
symfony/cache |
high |
CVE-2019-10912: Prevent destructors with side-effects from being unserialized... |
>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Golf (Symfony) |
CVE-2019-10910 |
Packagist Security Advisories |
|
symfony/dependency-injection |
high |
CVE-2019-10910: Check service IDs are valid... |
>=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Golf (Symfony) |
CVE-2020-5274 |
Packagist Security Advisories |
|
symfony/error-handler |
high |
CVE-2020-5274: Fix Exception message escaping rendered by ErrorHandler... |
>=4.4.0,<4.4.4|>=5.0.0,<5.0.4 |
| Golf (Symfony) |
CVE-2018-19789 |
Packagist Security Advisories |
|
symfony/form |
high |
CVE-2018-19789: Temporary uploaded file path disclosure... |
>=2.7.38,<2.7.50|>=2.8.0,<2.8.49|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.20|>=4.0.0,<4.0.15|>=4.1.0,<4.1.9|>=4.2.0,<4.2.1 |
| Golf (Symfony) |
CVE-2017-16790 |
Packagist Security Advisories |
|
symfony/form |
high |
CVE-2017-16790: Ensure that submitted data are uploaded files... |
>=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13 |
| Golf (Symfony) |
CVE-2015-8125 |
Packagist Security Advisories |
|
symfony/form |
high |
CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember... |
>=2.3.0,<2.3.35|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.12|>=2.7.0,<2.7.7 |
| Golf (Symfony) |
CVE-2022-23601 |
Packagist Security Advisories |
|
symfony/framework-bundle |
high |
CVE-2022-23601: CSRF token missing in forms... |
>=5.3.14,<5.3.15|>=5.4.3,<5.4.4|>=6.0.3,<6.0.4 |
| Golf (Symfony) |
CVE-2019-10909 |
Packagist Security Advisories |
|
symfony/framework-bundle |
high |
CVE-2019-10909: Escape validation messages in the PHP templating engine... |
>=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Golf (Symfony) |
CVE-2014-4931 |
Packagist Security Advisories |
|
symfony/framework-bundle |
high |
Code injection in the way Symfony implements translation caching in FrameworkBun... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.18|>=2.4.0,<2.4.8|>=2.5.0,<2.5.2 |
| Golf (Symfony) |
CVE-2026-48736 |
Packagist Security Advisories |
|
symfony/http-client |
high |
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT6... |
>=5.4.0,<5.4.53 |
| Golf (Symfony) |
CVE-2024-50342 |
Packagist Security Advisories |
|
symfony/http-client |
high |
CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetwor... |
>=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8 |
| Golf (Symfony) |
CVE-2026-48736 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT6... |
>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13 |
| Golf (Symfony) |
CVE-2025-64500 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7 |
| Golf (Symfony) |
CVE-2024-50345 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2024-50345: Open redirect via browser-sanitized URLs... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Golf (Symfony) |
CVE-2020-5255 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header... |
>=4.4.0,<4.4.7|>=5.0.0,<5.0.7 |
| Golf (Symfony) |
CVE-2019-18888 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<2.8.52|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.35|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8 |
| Golf (Symfony) |
CVE-2019-10913 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2019-10913: Reject invalid HTTP method overrides... |
>=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Golf (Symfony) |
CVE-2018-14773 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2018-14773: Remove support for legacy and risky HTTP headers... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.49|>=2.8.0,<2.8.44|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.18|>=3.4.0,<3.4.14|>=4.0.0,<4.0.14|>=4.1.0,<4.1.3 |
| Golf (Symfony) |
CVE-2018-11386 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
CVE-2018-11386: Denial of service when using PDOSessionHandler... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Golf (Symfony) |
CVE-2015-2309 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
Unsafe methods in the Request class... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.27|>=2.4.0,<2.5.0|>=2.5.0,<2.5.11|>=2.6.0,<2.6.6 |
| Golf (Symfony) |
CVE-2014-6061 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
Security issue when parsing the Authorization header... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4 |
| Golf (Symfony) |
CVE-2014-5244 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
Denial of service with a malicious HTTP Host header... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4 |
| Golf (Symfony) |
CVE-2013-4752 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
Request::getHost() poisoning... |
>=2.0.0,<2.0.24|>=2.1.0,<2.1.12|>=2.2.0,<2.2.5|>=2.3.0,<2.3.3 |
| Golf (Symfony) |
CVE-2012-6431 |
Packagist Security Advisories |
|
symfony/http-foundation |
high |
Routes behind a firewall are accessible even when not logged in... |
>=2.0.0,<2.0.19 |
| Golf (Symfony) |
CVE-2026-45075 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / ... |
>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2022-24894 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2022-24894: Prevent storing cookie headers in HttpCache... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2.0,<6.2.6 |
| Golf (Symfony) |
CVE-2021-41267 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request... |
>=5.2.0,<5.3.0|>=5.3.0,<5.3.12 |
| Golf (Symfony) |
CVE-2020-15094 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2020-15094: Prevent RCE when calling untrusted remote with CachingHttpClient... |
>=4.3.0,<4.4.0|>=4.4.0,<4.4.13|>=5.0.0,<5.1.0|>=5.1.0,<5.1.5 |
| Golf (Symfony) |
CVE-2019-18887 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2019-18887: Use constant time comparison in UriSigner... |
>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<2.8.52|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.35|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8 |
| Golf (Symfony) |
CVE-2015-4050 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
CVE-2015-4050: ESI unauthorized access... |
>=2.3.19,<2.3.29|>=2.4.9,<2.5.0|>=2.5.4,<2.5.12|>=2.6.0,<2.6.8 |
| Golf (Symfony) |
CVE-2015-2308 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
Esi Code Injection... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.27|>=2.4.0,<2.5.0|>=2.5.0,<2.5.11|>=2.6.0,<2.6.6 |
| Golf (Symfony) |
CVE-2014-5245 |
Packagist Security Advisories |
|
symfony/http-kernel |
high |
Direct access of ESI URLs behind a trusted proxy... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4 |
| Golf (Symfony) |
CVE-2017-16654 |
Packagist Security Advisories |
|
symfony/intl |
high |
CVE-2017-16654: Intl bundle readers breaking out of paths... |
>=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13 |
| Golf (Symfony) |
CVE-2026-45068 |
Packagist Security Advisories |
|
symfony/mailer |
high |
CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipi... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2026-45070 |
Packagist Security Advisories |
|
symfony/mime |
high |
CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Paramete... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2026-45067 |
Packagist Security Advisories |
|
symfony/mime |
high |
CVE-2026-45067: Email Header / SMTP Command Injection via CRLF in Symfony\Compon... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2019-18888 |
Packagist Security Advisories |
|
symfony/mime |
high |
CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser... |
>=4.3.0,<4.3.8 |
| Golf (Symfony) |
CVE-2026-45077 |
Packagist Security Advisories |
|
symfony/monolog-bridge |
high |
CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge serv... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2026-46644 |
Packagist Security Advisories |
|
symfony/polyfill-intl-idn |
high |
CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode pay... |
>=1.17.1,<1.38.1 |
| Golf (Symfony) |
CVE-2026-24739 |
Packagist Security Advisories |
|
symfony/process |
high |
Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructi... |
>=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51 |
| Golf (Symfony) |
CVE-2024-51736 |
Packagist Security Advisories |
|
symfony/process |
high |
CVE-2024-51736: Command execution hijack on Windows with Process class... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Golf (Symfony) |
CVE-2026-48784 |
Packagist Security Advisories |
|
symfony/routing |
high |
CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.53|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13 |
| Golf (Symfony) |
CVE-2026-45065 |
Packagist Security Advisories |
|
symfony/routing |
high |
CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alter... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2012-6431 |
Packagist Security Advisories |
|
symfony/routing |
high |
Routes behind a firewall are accessible even when not logged in... |
>=2.0.0,<2.0.19 |
| Golf (Symfony) |
CVE-2024-50341 |
Packagist Security Advisories |
|
symfony/security-bundle |
high |
CVE-2024-50341: Security::login does not take into account custom user_checker... |
>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.10|>=7.0.0,<7.0.10|>=7.1.0,<7.1.3 |
| Golf (Symfony) |
CVE-2022-24895 |
Packagist Security Advisories |
|
symfony/security-bundle |
high |
CVE-2022-24895: Possible CSRF token fixation... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2.0,<6.2.6 |
| Golf (Symfony) |
CVE-2021-41268 |
Packagist Security Advisories |
|
symfony/security-bundle |
high |
CVE-2021-41268: Remember me cookie persistance after password changes... |
>=5.3.0,<5.3.12 |
| Golf (Symfony) |
CVE-2018-11406 |
Packagist Security Advisories |
|
symfony/security-bundle |
high |
CVE-2018-11406: CSRF Token Fixation... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Golf (Symfony) |
CVE-2018-11408 |
Packagist Security Advisories |
|
symfony/security-bundle |
high |
CVE-2018-11408: Open redirect vulnerability on security handlers... |
>=2.7.38,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Golf (Symfony) |
CVE-2021-21424 |
Packagist Security Advisories |
|
symfony/security-core |
high |
CVE-2021-21424: Prevent user enumeration via response content in authentication ... |
>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.49|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.24|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.2.9 |
| Golf (Symfony) |
CVE-2018-11407 |
Packagist Security Advisories |
|
symfony/security-core |
high |
CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an... |
>=2.8.0,<2.8.37|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.7|>=4.0.0,<4.0.7 |
| Golf (Symfony) |
CVE-2017-11365 |
Packagist Security Advisories |
|
symfony/security-core |
high |
CVE-2017-11365: Empty passwords validation issue... |
>=2.7.30,<2.7.32|>=2.8.23,<2.8.25|>=3.2.10,<3.2.12|>=3.3.3,<3.3.5 |
| Golf (Symfony) |
CVE-2016-2403 |
Packagist Security Advisories |
|
symfony/security-core |
high |
CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an ... |
>=2.8.0,<2.8.6|>=3.0.0,<3.0.6 |
| Golf (Symfony) |
CVE-2016-1902 |
Packagist Security Advisories |
|
symfony/security-core |
high |
CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails ... |
>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.13|>=2.7.0,<2.7.9 |
| Golf (Symfony) |
CVE-2018-11406 |
Packagist Security Advisories |
|
symfony/security-csrf |
high |
CVE-2018-11406: CSRF Token Fixation... |
>=2.4.0,<2.7.48|>=2.5.0,<2.7.48|>=2.6.0,<2.7.48|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Golf (Symfony) |
CVE-2017-16653 |
Packagist Security Advisories |
|
symfony/security-csrf |
high |
CVE-2017-16653: CSRF protection does not use different tokens for HTTP and HTTPS... |
>=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13 |
| Golf (Symfony) |
CVE-2026-48489 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthe... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.53|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13 |
| Golf (Symfony) |
CVE-2026-45069 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims... |
>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2026-45063 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2026-45074 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header → Cr... |
>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2026-45075 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / ... |
>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2024-51996 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie... |
>=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8 |
| Golf (Symfony) |
CVE-2023-46733 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2023-46733: Possible session fixation... |
>=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.3.8 |
| Golf (Symfony) |
CVE-2021-32693 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2021-32693: Authentication granted to all firewalls instead of just one... |
>=5.3.0,<5.3.2 |
| Golf (Symfony) |
CVE-2021-21424 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2021-21424: Prevent user enumeration via response content in authentication ... |
>=5.1.0,<5.2.0|>=5.2.0,<5.2.8 |
| Golf (Symfony) |
CVE-2020-5275 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2020-5275: All rules set in "access_control" are required when the firewall ... |
>=4.4.0,<4.4.7|>=5.0.0,<5.0.7 |
| Golf (Symfony) |
CVE-2019-18886 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2019-18886: Prevent user enumeration using switch user functionality... |
>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8 |
| Golf (Symfony) |
CVE-2019-10911 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2019-10911: Add a separator in the remember me cookie hash... |
>=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Golf (Symfony) |
CVE-2018-19790 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2018-19790: Open Redirect Vulnerability on login... |
>=2.7.38,<2.7.50|>=2.8.0,<2.8.49|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.20|>=4.0.0,<4.0.15|>=4.1.0,<4.1.9|>=4.2.0,<4.2.1 |
| Golf (Symfony) |
CVE-2018-11406 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2018-11406: CSRF Token Fixation... |
>=2.4.0,<2.7.48|>=2.5.0,<2.7.48|>=2.6.0,<2.7.48|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Golf (Symfony) |
CVE-2018-11385 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2018-11385: Session Fixation Issue for Guard Authentication... |
>=2.4.0,<2.7.48|>=2.5.0,<2.7.48|>=2.6.0,<2.7.48|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11 |
| Golf (Symfony) |
CVE-2017-16652 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2017-16652: Open redirect vulnerability on security handlers... |
>=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13 |
| Golf (Symfony) |
CVE-2016-4423 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2016-4423: Large username storage in session... |
>=2.3.0,<2.3.41|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.13|>=2.8.0,<2.8.6|>=3.0.0,<3.0.6 |
| Golf (Symfony) |
CVE-2015-8124 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature... |
>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.12|>=2.7.0,<2.7.7 |
| Golf (Symfony) |
CVE-2015-8125 |
Packagist Security Advisories |
|
symfony/security-http |
high |
CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember... |
>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.12|>=2.7.0,<2.7.7 |
| Golf (Symfony) |
CVE-2021-41270 |
Packagist Security Advisories |
|
symfony/serializer |
high |
CVE-2021-41270: Prevent CSV Injection via formulas... |
>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.35|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.3.12 |
| Golf (Symfony) |
CVE-2026-45072 |
Packagist Security Advisories |
|
symfony/twig-bridge |
high |
CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescape... |
>=6.4.24,<6.4.40 |
| Golf (Symfony) |
CVE-2023-46734 |
Packagist Security Advisories |
|
symfony/twig-bridge |
high |
CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.51|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.3.8 |
| Golf (Symfony) |
CVE-2024-50343 |
Packagist Security Advisories |
|
symfony/validator |
high |
CVE-2024-50343: Incorrect response from Validator when input ends with `
`... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4 |
| Golf (Symfony) |
CVE-2013-4751 |
Packagist Security Advisories |
|
symfony/validator |
high |
Validation metadata serialization and loss of information... |
>=2.0.0,<2.0.24|>=2.1.0,<2.1.12|>=2.2.0,<2.2.5|>=2.3.0,<2.3.3 |
| Golf (Symfony) |
CVE-2019-11325 |
Packagist Security Advisories |
|
symfony/var-exporter |
high |
CVE-2019-11325: Fix escaping of strings in VarExporter... |
>=4.2.0,<4.2.12|>=4.3.0,<4.3.8 |
| Golf (Symfony) |
CVE-2026-45304 |
Packagist Security Advisories |
|
symfony/yaml |
high |
CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collecti... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2026-45305 |
Packagist Security Advisories |
|
symfony/yaml |
high |
CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::clean... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2026-45133 |
Packagist Security Advisories |
|
symfony/yaml |
high |
CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested B... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2013-1397 |
Packagist Security Advisories |
|
symfony/yaml |
high |
Ability to enable/disable object support in YAML parsing and dumping... |
>=2.0.0,<2.0.22|>=2.1.0,<2.1.7 |
| Golf (Symfony) |
CVE-2013-1348 |
Packagist Security Advisories |
|
symfony/yaml |
high |
Ability to enable/disable PHP parsing in Yaml::parse()... |
>=2.0.0,<2.0.22 |
| Golf (Symfony) |
CVE-2026-48808 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInt... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Golf (Symfony) |
CVE-2026-48805 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Golf (Symfony) |
CVE-2026-46636 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox filter, tag and function allow-list bypass when sandbox state changes be... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Golf (Symfony) |
CVE-2026-48806 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox `__toString()` policy bypass via dynamic mapping keys... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Golf (Symfony) |
CVE-2026-48807 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Golf (Symfony) |
CVE-2026-46640 |
Packagist Security Advisories |
|
twig/twig |
high |
Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation... |
>=3.15.0,<3.26.0 |
| Golf (Symfony) |
CVE-2026-46628 |
Packagist Security Advisories |
|
twig/twig |
high |
The `spaceless` filter implicitly marks its output as safe... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Golf (Symfony) |
CVE-2026-46633 |
Packagist Security Advisories |
|
twig/twig |
high |
PHP code injection via `{% use %}` template name... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Golf (Symfony) |
CVE-2026-47730 |
Packagist Security Advisories |
|
twig/twig |
high |
XSS in profiler HtmlDumper via unescaped template and profile names... |
>=3.0.0,<3.26.0 |
| Golf (Symfony) |
CVE-2026-46639 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox property and method bypass via object-destructuring assignment... |
>=3.24.0,<3.26.0 |
| Golf (Symfony) |
CVE-2026-46627 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox does not protect against resource exhaustion... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Golf (Symfony) |
CVE-2026-46635 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox property allowlist bypass via the `column` filter (array_column on objec... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Golf (Symfony) |
CVE-2026-46638 |
Packagist Security Advisories |
|
twig/twig |
high |
`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomple... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Golf (Symfony) |
CVE-2026-24425 |
Packagist Security Advisories |
|
twig/twig |
high |
Possible sandbox bypass when using a source policy... |
>=2.16.0,<3.0.0|>=3.9.0,<3.26.0 |
| Golf (Symfony) |
CVE-2026-47732 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion p... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0 |
| Golf (Symfony) |
CVE-2026-46634 |
Packagist Security Advisories |
|
twig/twig |
high |
`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized t... |
>=3.9.0,<3.26.0 |
| Golf (Symfony) |
CVE-2025-24374 |
Packagist Security Advisories |
|
twig/twig |
high |
Missing output escaping for the null coalesce operator... |
>=3.16.0,<3.19.0 |
| Golf (Symfony) |
CVE-2024-51754 |
Packagist Security Advisories |
|
twig/twig |
high |
Unguarded calls to __toString() when nesting an object into an array... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1 |
| Golf (Symfony) |
CVE-2024-51755 |
Packagist Security Advisories |
|
twig/twig |
high |
Unguarded calls to __isset() and to array-accesses when the sandbox is enabled... |
>=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1 |
| Golf (Symfony) |
CVE-2024-45411 |
Packagist Security Advisories |
|
twig/twig |
high |
Possible sandbox bypass... |
>=1.0.0,<1.44.7|>=2.0.0,<2.16.0|>=3.0.0,<3.11.0|>=3.12.0,<3.14.0 |
| Golf (Symfony) |
CVE-2022-39261 |
Packagist Security Advisories |
|
twig/twig |
high |
Possibility to load a template outside a configured directory when using the fil... |
>=1.0.0,<1.44.7|>=2.0.0,<2.15.3|>=3.0.0,<3.4.3 |
| Golf (Symfony) |
CVE-2022-23614 |
Packagist Security Advisories |
|
twig/twig |
high |
Disallow non closures in the sort filter... |
>=2.0.0,<2.14.11|>=3.0.0,<3.3.8 |
| Golf (Symfony) |
CVE-2019-9942 |
Packagist Security Advisories |
|
twig/twig |
high |
Sandbox Information Disclosure... |
<1.38.0|>=2.0.0,<2.7.0 |
| Golf (Symfony) |
CVE-2015-7809 |
Packagist Security Advisories |
|
twig/twig |
high |
Remote code execution in templates... |
<1.20.0 |
| Golf (Symfony) |
CVE-2026-41570 |
Packagist Security Advisories |
|
phpunit/phpunit |
high |
Argument injection via newline in PHP INI values forwarded to child processes... |
>=12.5.21,<12.5.22|>=13.1.5,<13.1.6 |
| Golf (Symfony) |
CVE-2026-24765 |
Packagist Security Advisories |
|
phpunit/phpunit |
high |
Unsafe Deserialization in PHPT Code Coverage Handling... |
>=0,<8.5.52|>=9.0.0,<9.6.33|>=10.0.0,<10.5.62|>=11.0.0,<11.5.50|>=12.0.0,<12.5.8 |
| Golf (Symfony) |
CVE-2017-9841 |
Packagist Security Advisories |
|
phpunit/phpunit |
high |
RCE vulnerability in phpunit... |
>=5.0.10,<5.6.3|>=4.8.19,<4.8.28 |
| Golf (Symfony) |
CVE-2026-45071 |
Packagist Security Advisories |
|
symfony/dom-crawler |
high |
CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via v... |
>=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2021-21424 |
Packagist Security Advisories |
|
symfony/maker-bundle |
high |
CVE-2021-21424: Prevent user enumeration via response content in authentication ... |
>=1.27.0,<1.28.0|>=1.28.0,<1.29.0|>=1.29.0,<1.29.2|>=1.30.0,<1.31.0|>=1.31.0,<1.31.1 |
| Golf (Symfony) |
CVE-2019-10912 |
Packagist Security Advisories |
|
symfony/phpunit-bridge |
high |
CVE-2019-10912: Prevent destructors with side-effects from being unserialized... |
>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7 |
| Golf (Symfony) |
CVE-2026-45072 |
Packagist Security Advisories |
|
symfony/web-profiler-bundle |
high |
CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescape... |
>=7.2.9,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Golf (Symfony) |
CVE-2014-6072 |
Packagist Security Advisories |
|
symfony/web-profiler-bundle |
high |
CSRF vulnerability in the Web Profiler... |
>=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4 |
| Golf (Symfony) |
CVE-2026-5773 |
Trivy image |
debian |
curl |
high |
curl: libcurl: Wrong file transfer due to incorrect SMB connection reuse... |
N/A |
| Golf (Symfony) |
CVE-2026-6276 |
Trivy image |
debian |
curl |
high |
curl: libcurl: Information disclosure due to cookie leak when reusing connection... |
N/A |
| Golf (Symfony) |
CVE-2026-5773 |
Trivy image |
debian |
libcurl4t64 |
high |
curl: libcurl: Wrong file transfer due to incorrect SMB connection reuse... |
N/A |
| Golf (Symfony) |
CVE-2026-6276 |
Trivy image |
debian |
libcurl4t64 |
high |
curl: libcurl: Information disclosure due to cookie leak when reusing connection... |
N/A |
| Golf (Symfony) |
CVE-2026-42497 |
Trivy image |
debian |
libperl5.40 |
high |
Archive::Tar versions before 3.08 for Perl extract hardlinks to attack ...... |
N/A |
| Golf (Symfony) |
CVE-2026-48959 |
Trivy image |
debian |
libperl5.40 |
high |
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaust ...... |
N/A |
| Golf (Symfony) |
CVE-2026-48962 |
Trivy image |
debian |
libperl5.40 |
high |
perl-IO-Compress: perl-IO-Compress: Arbitrary code execution via attacker-contro... |
N/A |
| Golf (Symfony) |
CVE-2026-9538 |
Trivy image |
debian |
libperl5.40 |
high |
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...... |
N/A |
| Golf (Symfony) |
CVE-2026-7598 |
Trivy image |
debian |
libssh2-1t64 |
high |
libssh2: integer overflow via large username or password arguments... |
N/A |
| Golf (Symfony) |
CVE-2026-45447 |
Trivy image |
debian |
libssl3t64 |
high |
[Heap Use-After-Free in the PKCS7_verify() Function]... |
N/A |
| Golf (Symfony) |
CVE-2025-69720 |
Trivy image |
debian |
libtinfo6 |
high |
ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execu... |
N/A |
| Golf (Symfony) |
CVE-2013-7445 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: memory exhaustion via crafted Graphics Execution Manager (GEM) objects... |
N/A |
| Golf (Symfony) |
CVE-2019-19449 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: mounting a crafted f2fs filesystem image can lead to slab-out-of-bounds ... |
N/A |
| Golf (Symfony) |
CVE-2019-19814 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: out-of-bounds write in __remove_dirty_segment in fs/f2fs/segment.c... |
N/A |
| Golf (Symfony) |
CVE-2021-3847 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: low-privileged user privileges escalation... |
N/A |
| Golf (Symfony) |
CVE-2021-3864 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: descendant's dumpable setting with certain SUID binaries... |
N/A |
| Golf (Symfony) |
CVE-2024-21803 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: bluetooth: use-after-free vulnerability in af_bluetooth.c... |
N/A |
| Golf (Symfony) |
CVE-2024-58015 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: wifi: ath12k: Fix for out-of bound access error... |
N/A |
| Golf (Symfony) |
CVE-2024-58093 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: Linux kernel: PCI/ASPM use-after-free during hot-unplug... |
N/A |
| Golf (Symfony) |
CVE-2025-22104 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: ibmvnic: Use kernel helpers for hex dumps... |
N/A |
| Golf (Symfony) |
CVE-2025-38137 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: PCI/pwrctrl: Cancel outstanding rescan work when unregistering... |
N/A |
| Golf (Symfony) |
CVE-2025-38187 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push()... |
N/A |
| Golf (Symfony) |
CVE-2025-38204 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: jfs: fix array-index-out-of-bounds read in add_missing_indices... |
N/A |
| Golf (Symfony) |
CVE-2025-38206 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: Kernel: Double free vulnerability in exFAT filesystem can lead to denial... |
N/A |
| Golf (Symfony) |
CVE-2025-38421 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: platform/x86/amd: pmf: Use device managed allocations... |
N/A |
| Golf (Symfony) |
CVE-2025-38636 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: rv: Use strings in da monitors tracepoints... |
N/A |
| Golf (Symfony) |
CVE-2025-39859 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog... |
N/A |
| Golf (Symfony) |
CVE-2025-39862 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: wifi: mt76: mt7915: fix list corruption after hardware restart... |
N/A |
| Golf (Symfony) |
CVE-2025-39958 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: iommu/s390: Make attach succeed when the device was surprise removed... |
N/A |
| Golf (Symfony) |
CVE-2026-23102 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: Linux kernel: Denial of Service due to incorrect SVE context restoration... |
N/A |
| Golf (Symfony) |
CVE-2026-23208 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: ALSA: usb-audio: Prevent excessive number of frames... |
N/A |
| Golf (Symfony) |
CVE-2026-23327 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: cxl/mbox: validate payload size before accessing contents in cxl_payload... |
N/A |
| Golf (Symfony) |
CVE-2026-31493 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: RDMA/efa: Fix use of completion ctx after free... |
N/A |
| Golf (Symfony) |
CVE-2026-31536 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: smb: server: let send_done handle a completion without IB_SEND_SIGNALED... |
N/A |
| Golf (Symfony) |
CVE-2026-31568 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: s390/mm: Add missing secure storage access fixups for donated memory... |
N/A |
| Golf (Symfony) |
CVE-2026-31663 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: xfrm: hold dev ref until after transport_finish NF_HOOK... |
N/A |
| Golf (Symfony) |
CVE-2026-31688 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: driver core: enforce device_lock for driver_match_device()... |
N/A |
| Golf (Symfony) |
CVE-2026-43198 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: tcp: fix potential race in tcp_v6_syn_recv_sock()... |
N/A |
| Golf (Symfony) |
CVE-2026-45932 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: bpf: Fix tcx/netkit detach permissions when prog fd isn't given... |
N/A |
| Golf (Symfony) |
CVE-2026-46054 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: selinux: fix overlayfs mmap() and mprotect() access checks... |
N/A |
| Golf (Symfony) |
CVE-2026-46117 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()... |
N/A |
| Golf (Symfony) |
CVE-2026-46181 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()... |
N/A |
| Golf (Symfony) |
CVE-2026-46244 |
Trivy image |
debian |
linux-libc-dev |
high |
kernel: netfilter: nft_inner: Fix IPv6 inner_thoff desync... |
N/A |
| Golf (Symfony) |
CVE-2025-69720 |
Trivy image |
debian |
ncurses-base |
high |
ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execu... |
N/A |
| Golf (Symfony) |
CVE-2025-69720 |
Trivy image |
debian |
ncurses-bin |
high |
ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execu... |
N/A |
| Golf (Symfony) |
CVE-2026-45447 |
Trivy image |
debian |
openssl |
high |
[Heap Use-After-Free in the PKCS7_verify() Function]... |
N/A |
| Golf (Symfony) |
CVE-2026-45447 |
Trivy image |
debian |
openssl-provider-legacy |
high |
[Heap Use-After-Free in the PKCS7_verify() Function]... |
N/A |
| Golf (Symfony) |
CVE-2026-42497 |
Trivy image |
debian |
perl |
high |
Archive::Tar versions before 3.08 for Perl extract hardlinks to attack ...... |
N/A |
| Golf (Symfony) |
CVE-2026-48959 |
Trivy image |
debian |
perl |
high |
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaust ...... |
N/A |
| Golf (Symfony) |
CVE-2026-48962 |
Trivy image |
debian |
perl |
high |
perl-IO-Compress: perl-IO-Compress: Arbitrary code execution via attacker-contro... |
N/A |
| Golf (Symfony) |
CVE-2026-9538 |
Trivy image |
debian |
perl |
high |
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...... |
N/A |
| Golf (Symfony) |
CVE-2026-42497 |
Trivy image |
debian |
perl-base |
high |
Archive::Tar versions before 3.08 for Perl extract hardlinks to attack ...... |
N/A |
| Golf (Symfony) |
CVE-2026-48959 |
Trivy image |
debian |
perl-base |
high |
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaust ...... |
N/A |
| Golf (Symfony) |
CVE-2026-48962 |
Trivy image |
debian |
perl-base |
high |
perl-IO-Compress: perl-IO-Compress: Arbitrary code execution via attacker-contro... |
N/A |
| Golf (Symfony) |
CVE-2026-9538 |
Trivy image |
debian |
perl-base |
high |
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...... |
N/A |
| Golf (Symfony) |
CVE-2026-42497 |
Trivy image |
debian |
perl-modules-5.40 |
high |
Archive::Tar versions before 3.08 for Perl extract hardlinks to attack ...... |
N/A |
| Golf (Symfony) |
CVE-2026-48959 |
Trivy image |
debian |
perl-modules-5.40 |
high |
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaust ...... |
N/A |
| Golf (Symfony) |
CVE-2026-48962 |
Trivy image |
debian |
perl-modules-5.40 |
high |
perl-IO-Compress: perl-IO-Compress: Arbitrary code execution via attacker-contro... |
N/A |
| Golf (Symfony) |
CVE-2026-9538 |
Trivy image |
debian |
perl-modules-5.40 |
high |
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...... |
N/A |
| Golf (Symfony) |
DOCKERFILE-ROOT-USER |
Dockerfile static checks |
|
dockerfile |
high |
Container runs as root user... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-33846 |
Trivy image |
debian |
libgnutls30 |
high |
gnutls: GnuTLS: Denial of Service via heap buffer overflow in DTLS handshake fra... |
3.7.9-2+deb12u7 |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-3833 |
Trivy image |
debian |
libgnutls30 |
high |
gnutls: GnuTLS: Policy bypass due to case-sensitive nameConstraints comparison... |
3.7.9-2+deb12u7 |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-42009 |
Trivy image |
debian |
libgnutls30 |
high |
gnutls: gnutls: Denial of Service via DTLS packet reordering vulnerability... |
3.7.9-2+deb12u7 |
| Hugo Scraper API (Salesforce Integration) |
CVE-2025-69720 |
Trivy image |
debian |
libncursesw6 |
high |
ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execu... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-45447 |
Trivy image |
debian |
libssl3 |
high |
[Heap Use-After-Free in the PKCS7_verify() Function]... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2025-69720 |
Trivy image |
debian |
libtinfo6 |
high |
ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execu... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2025-69720 |
Trivy image |
debian |
ncurses-base |
high |
ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execu... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2025-69720 |
Trivy image |
debian |
ncurses-bin |
high |
ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execu... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-45447 |
Trivy image |
debian |
openssl |
high |
[Heap Use-After-Free in the PKCS7_verify() Function]... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-42497 |
Trivy image |
debian |
perl-base |
high |
Archive::Tar versions before 3.08 for Perl extract hardlinks to attack ...... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-48959 |
Trivy image |
debian |
perl-base |
high |
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaust ...... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-48962 |
Trivy image |
debian |
perl-base |
high |
perl-IO-Compress: perl-IO-Compress: Arbitrary code execution via attacker-contro... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
CVE-2026-9538 |
Trivy image |
debian |
perl-base |
high |
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
DOCKERFILE-ROOT-USER |
Dockerfile static checks |
|
dockerfile |
high |
Container runs as root user... |
N/A |
| Hugo Scraper API (Salesforce Integration) |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |
| PovCom WordPress |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |
| Product CMS (Strapi) |
CVE-2024-21538 |
Trivy image |
node-pkg |
cross-spawn |
high |
cross-spawn: regular expression denial of service... |
7.0.5, 6.0.6 |
| Product CMS (Strapi) |
CVE-2025-64756 |
Trivy image |
node-pkg |
glob |
high |
glob: glob: Command Injection Vulnerability via Malicious Filenames... |
11.1.0, 10.5.0 |
| Product CMS (Strapi) |
CVE-2026-26996 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service via specially crafted glob patterns... |
10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 |
| Product CMS (Strapi) |
CVE-2026-27903 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service due to unbounded recursive backtracking ... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 |
| Product CMS (Strapi) |
CVE-2026-27904 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob ex... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 |
| Product CMS (Strapi) |
CVE-2026-23745 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsa... |
7.5.3 |
| Product CMS (Strapi) |
CVE-2026-23950 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision rac... |
7.5.4 |
| Product CMS (Strapi) |
CVE-2026-24842 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in ha... |
7.5.7 |
| Product CMS (Strapi) |
CVE-2026-26960 |
Trivy image |
node-pkg |
tar |
high |
node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink cre... |
7.5.8 |
| Product CMS (Strapi) |
CVE-2026-29786 |
Trivy image |
node-pkg |
tar |
high |
node-tar: hardlink path traversal via drive-relative linkpath... |
7.5.10 |
| Product CMS (Strapi) |
CVE-2026-31802 |
Trivy image |
node-pkg |
tar |
high |
tar: tar: File overwrite via drive-relative symlink traversal... |
7.5.11 |
| Product CMS (Strapi) |
DOCKERFILE-ROOT-USER |
Dockerfile static checks |
|
dockerfile |
high |
Container runs as root user... |
N/A |
| Product CMS (Strapi) |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |
| SRO WordPress 2021-2 |
2026-28044 |
WPScan API |
|
WP Plugin: WP Rocket |
high |
Rocket < 3.20.0.2 - Authenticated (Author+) Stored Cross-Site Scripting... |
3.20.0.2 |
| SRO WordPress 2021-2 |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |
| SURI WordPress 2025 |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |
| Sběr účtů pro cashback |
CVE-2024-21538 |
Trivy image |
node-pkg |
cross-spawn |
high |
cross-spawn: regular expression denial of service... |
7.0.5, 6.0.6 |
| Sběr účtů pro cashback |
CVE-2025-64756 |
Trivy image |
node-pkg |
glob |
high |
glob: glob: Command Injection Vulnerability via Malicious Filenames... |
11.1.0, 10.5.0 |
| Sběr účtů pro cashback |
CVE-2026-26996 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service via specially crafted glob patterns... |
10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 |
| Sběr účtů pro cashback |
CVE-2026-27903 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: minimatch: Denial of Service due to unbounded recursive backtracking ... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 |
| Sběr účtů pro cashback |
CVE-2026-27904 |
Trivy image |
node-pkg |
minimatch |
high |
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob ex... |
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 |
| Sběr účtů pro cashback |
CVE-2026-23745 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsa... |
7.5.3 |
| Sběr účtů pro cashback |
CVE-2026-23950 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision rac... |
7.5.4 |
| Sběr účtů pro cashback |
CVE-2026-24842 |
Trivy image |
node-pkg |
tar |
high |
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in ha... |
7.5.7 |
| Sběr účtů pro cashback |
CVE-2026-26960 |
Trivy image |
node-pkg |
tar |
high |
node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink cre... |
7.5.8 |
| Sběr účtů pro cashback |
CVE-2026-29786 |
Trivy image |
node-pkg |
tar |
high |
node-tar: hardlink path traversal via drive-relative linkpath... |
7.5.10 |
| Sběr účtů pro cashback |
CVE-2026-31802 |
Trivy image |
node-pkg |
tar |
high |
tar: tar: File overwrite via drive-relative symlink traversal... |
7.5.11 |
| Sběr účtů pro cashback |
HELM-NO-RUN-AS-NON-ROOT |
HelmScanner |
|
helm-values |
high |
Container not configured to run as non-root... |
configured |