GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
5,981 advisories
Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
Moderate
CVE-2026-48784
was published
for
symfony/routing
(Composer)
Jun 15, 2026
Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
Moderate
CVE-2026-48760
was published
for
symfony/html-sanitizer
(Composer)
Jun 15, 2026
Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade
Moderate
CVE-2026-48747
was published
for
symfony/mailomat-mailer
(Composer)
Jun 15, 2026
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Moderate
CVE-2026-48736
was published
for
symfony/http-client
(Composer)
Jun 15, 2026
Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes
High
CVE-2026-48489
was published
for
symfony/security-http
(Composer)
Jun 15, 2026
Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes
Moderate
CVE-2026-48761
was published
for
symfony/html-sanitizer
(Composer)
Jun 15, 2026
TYPO3 HTML Sanitizer allows Cross-site Scripting
Low
CVE-2026-47344
was published
for
typo3/html-sanitizer
(Composer)
Jun 12, 2026
Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)
Moderate
GHSA-6jq6-x4cx-qvcm
was published
for
grumpydictator/firefly-iii
(Composer)
Jun 12, 2026
Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields
Moderate
CVE-2026-48067
was published
for
filament/actions
(Composer)
Jun 11, 2026
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule
Critical
CVE-2026-48062
was published
for
codeigniter4/framework
(Composer)
Jun 11, 2026
guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator
Moderate
CVE-2026-53723
was published
for
guzzlehttp/guzzle-services
(Composer)
Jun 11, 2026
ProTip!
Advisories are also available from the
GraphQL API