php
php bulletins.
Firefly III Stored XSS in Piggy Bank Names via Audit Logs
Stored XSS vulnerability: piggy bank names are rendered unsanitized in audit log views, allowing arbitrary JavaScript execution.
typo3/html-sanitizer: Whitespace-variant closing tags bypass sanitization when ALLOW_INSECURE_RAW_TEXT is enabled
When ALLOW_INSECURE_RAW_TEXT is enabled, the sanitizer fails to recognize whitespace-variant closing tags (e.
typo3/cms-core: XSS in Indexed Search plugin via unsanitized page titles
Cross-Site Scripting vulnerability in Indexed Search plugin: page titles with HTML markup are stored in search index without sanit
typo3/cms-core: Missing read permission check in clipboard allows unauthorized data access
Backend users could insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, allowing un
typo3/cms-core: Missing permission checks in Backend API file metadata routes
Authenticated backend users could retrieve file metadata via Backend API routes without proper permission checks, allowing access
typo3/cms-core: Path Allowance Check Bypass in GeneralUtility::isAllowedAbsPath()
The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a dire
typo3/cms-core: VariableFrontend and Registry now prevent PHP Object Injection
VariableFrontend and Registry now deserialize PHP payloads with integrity validation and class restrictions, preventing PHP Object
typo3/cms-core: Backend users could move records without source edit permissions
Backend users could move records to a different page without edit permissions on the source page.
typo3/html-sanitizer: Namespace attribute encoding bypass (XSS)
Namespace attributes are not encoded correctly during HTML serialization, allowing bypass of the cross-site scripting prevention m
typo3/cms-core: Open redirect in GeneralUtility::sanitizeLocalUrl
Applications using GeneralUtility::sanitizeLocalUrl are vulnerable to open redirect attacks if the URL is used after sanitization.
typo3/cms-core: Recycler module privilege escalation fix
Backend users with Recycler module access could restore soft-deleted records on unauthorized pages or tables.
typo3/cms-core: Unauthorized file download via fallback storage in Media Module
Backend users with file download permissions could download files from the fallback storage of the file abstraction layer (FAL) vi
typo3/cms-core: File upload bypass via mixed-case extensions leads to SQL injection and privilege escalation
Backend users with file write permissions can upload form definition files with mixed-case extensions (e.
typo3/cms-core: Form Framework SQL Injection and Privilege Escalation via DataHandler
Backend users with write access to the form_definition table can bypass Form Framework's persistence validation and permission che
typo3/cms-core: Missing authorization check allows non-privileged users to modify root folders of file mounts
Non-privileged backend users with file mount access could perform write operations (move, delete, rename) on root folders of activ
typo3/cms-core: Form Framework File Inclusion Vulnerability
Backend users with Form Framework access could use files not ending in .
Laracon US 2026 Speaker Lineup Announced
Laracon US 2026 announced its full speaker lineup for July 28-29 in Boston, including Taylor Otwell, Aaron Francis, Nuno Maduro, a
guzzlehttp/psr7 CRLF Injection via Host Header
guzzlehttp/psr7 now rejects ASCII control characters, whitespace, and DEL in first-party URI host components, preventing CRLF inje
guzzlehttp/psr7: Malformed Host header misinterpretation in URI construction
guzzlehttp/psr7 improperly interpreted malformed Host header values when constructing request URIs from inbound request data, pote
guzzlehttp/guzzle-services: CDATA injection via unsafe XML serialization
guzzlehttp/guzzle-services does not safely serialize scalar XML element values containing the CDATA terminator `]]>`, allowing att
filament/tables: Validation bypass in AttachAction and AssociateAction with recordSelectOptionsQuery()
The `recordSelectOptionsQuery()` method scopes options for Select fields in AttachAction and AssociateAction, but the built-in val
CodeIgniter 4 ext_in Validation Bypass via MIME Extension
The `ext_in` upload validation rule used the MIME-derived guessed extension instead of the client-provided filename extension, all
symfony/runtime: Incomplete CVE-2024-50340 fix allows argv injection via web SAPI
The original fix for CVE-2024-50340 gated argv reading on empty($_GET).
pheditor: OS Command Injection in Terminal Handler
An OS Command Injection vulnerability was discovered in pheditor's terminal handler.
laravel/framework v13.12.0 released
Version 13.12.0 of laravel/framework has been released on Packagist.
laravel/framework v12.61.0 released
Release of version 12.61.0 of the laravel/framework package on Packagist.
guzzlehttp/guzzle 7.10.5 Released
Release of version 7.10.5 for guzzlehttp/guzzle.
symfony/http-foundation v8.1.0 released
Version v8.1.0 of symfony/http-foundation provides an object-oriented layer for the HTTP specification.
symfony/console v8.1.0: New Release with Improved CLI Creation
New release of symfony/console v8.
guzzlehttp/guzzle 7.10.6 released
Version 7.10.6 of guzzlehttp/guzzle was released.