php 2026
symfony/runtime: Incomplete CVE-2024-50340 fix allows argv injection via web SAPI
The original fix for CVE-2024-50340 gated argv reading on empty($_GET).
pheditor: OS Command Injection in Terminal Handler
An OS Command Injection vulnerability was discovered in pheditor's terminal handler.
laravel/framework v13.12.0 released
Version 13.12.0 of laravel/framework has been released on Packagist.
laravel/framework v12.61.0 released
Release of version 12.61.0 of the laravel/framework package on Packagist.
guzzlehttp/guzzle 7.10.5 Released
Release of version 7.10.5 for guzzlehttp/guzzle.
symfony/http-foundation v8.1.0 released
Version v8.1.0 of symfony/http-foundation provides an object-oriented layer for the HTTP specification.
symfony/console v8.1.0: New Release with Improved CLI Creation
New release of symfony/console v8.
guzzlehttp/guzzle 7.10.6 released
Version 7.10.6 of guzzlehttp/guzzle was released.
guzzlehttp/guzzle 7.11.0 released
Version 7.11.0 of guzzlehttp/guzzle has been released.
PHPUnit 13.1.14 Patch Release
Release of PHPUnit version 13.1.14, a patch update in the 13.1.x series.
Laravel Framework v12.61.1 Released
Release of version 12.61.1 of the laravel/framework package on Packagist.
PHPUnit 13.2.0 Released
PHPUnit version 13.2.0 has been released.
Laravel 13.14: JsonSchema::fromArray() and Queue/Job Fixes
Laravel 13.14 adds JsonSchema::fromArray() for converting JSON Schema arrays back into Type objects, queue inheritance fixes, job
laravel/framework v12.62.0 released
Version 12.62.0 of the laravel/framework package has been released.
AVideo YouTubeAPI Plugin Reflected XSS via search Parameter
Reflected XSS vulnerability in YouTubeAPI plugin: unsanitized $_GET['search'] concatenated into href attributes in plugin/YouTubeA
AVideo YouTubeAPI Plugin Stored XSS via snippet.title
Stored XSS vulnerability in AVideo YouTubeAPI plugin: `snippet.
Shopware Platform: Privilege Escalation via Sync API Bypass
A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admi
Shopware Platform: user_recovery hash exposed via Admin API
The `user_recovery` entity exposes its `hash` field through the Admin API search endpoint (`POST /api/search/user-recovery`), allo
shopware/platform: Non-admin users can escalate to admin via UserController::upsertUser()
UserController::upsertUser() writes user data in SYSTEM_SCOPE and does not filter the admin field, allowing non-admin API users wi
shopware/platform OAuth user repository timing attack vulnerability
A timing attack vulnerability in the OAuth user repository allows enumeration of administrator usernames.
shopware/core: Open redirect via Referer header in SSO endpoint
The public SSO entry point at GET /api/oauth/sso/auth uses the Referer header as a fallback redirect destination when the expected
shopware/platform: Missing ACL checks on order state transition endpoints
Order state transition endpoints in the Admin API are missing ACL privilege checks, allowing low-privileged users to change order
shopware/platform: Missing authorization in /store-api/handle-payment
The Store API endpoint `/store-api/handle-payment` lacks object-level authorization, allowing a low-privileged user to trigger pay
shopware/core: SVG uploads allow stored XSS
SVG files are allowed in the media manager upload whitelist but are not sanitized, enabling stored XSS via malicious SVG content.
shopware/core: Missing IP validation in /api/_action/media/external-link endpoint
The `/api/_action/media/external-link` endpoint in Shopware's core allows authenticated admin users to make server-side HTTP HEAD
Shopper Framework: Missing Authorization on Sub-form Livewire Components
Sub-form Livewire components (Edit, Inventory, Seo, Shipping, Files) in the product editor had no authorization on their store() m
Shopper Framework: Missing permission checks on admin table actions (fixed in v2.8.0)
Admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions without permission checks.
twig/twig: XSS fix in HtmlDumper escapes template and profile names
Twig\Profiler\Dumper\HtmlDumper now escapes template and profile names with htmlspecialchars() before outputting them in HTML.
Poweradmin v4.4.0 CSV Injection and Path Disclosure in Log Export
CSV Injection (Formula Injection) vulnerability in log export: user-controlled username field written to CSV without sanitizing fo
Froxlor API Authentication Bypasses Two-Factor Authentication
FroxlorRPC::validateAuth does not enforce Two-Factor Authentication.
wwbn/avideo: Stored XSS via WebSocket message json key bypass
Stored XSS vulnerability in AVideo's WebSocket messaging system: MessageSQLite.
AVideo YPTSocket Plugin Unauthenticated Stored DOM XSS via page_title
Unauthenticated stored DOM XSS via `page_title` broadcast in AVideo YPTSocket plugin.
TinyMCE Stored XSS via data-mce-* Attributes
Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).
TinyMCE Stored XSS via forged mce:protected comments
Stored XSS vulnerability via forged mce:protected comments allows attackers to bypass sanitization and inject scripts when content
TinyMCE Media Plugin Stored XSS Vulnerability
A stored XSS vulnerability in the media plugin allows attackers to inject malicious scripts via crafted data-mce-* attributes.
shopper/framework: Three security defects in admin Livewire components
Three security defects in admin Livewire components: IDOR via unlocked properties, sensitive data disclosure through Hidden passwo
shopper/framework: Authorization bypass in team settings (fixed in v2.8.0)
Two authorization defects in team settings allowed any authenticated panel user to take over the RBAC system: Settings/Team/Index
Twig Sandbox Bypass via SourcePolicyInterface for sort/filter/map/reduce
Twig's sandbox restriction for callback-accepting filters (sort, filter, map, reduce) is not always applied when using a SourcePol
Twig Sandbox Bypass via __toString() Calls
The sandbox security mechanism was bypassed because SandboxNodeVisitor only wrapped a hardcoded list of AST nodes in CheckToString