Flightphp/Core (< 3.18.1)

A vulnerability in FlightPHP core versions before 3.18.1 allows attackers to override HTTP methods via the `X-HTTP-Method-Override` header or `_method` parameter, leading to CSRF escalation, middleware bypass, and cache poisoning.

A reflected XSS vulnerability exists in FlightPHP versions prior to 3.18.1 due to improper validation of the jsonp query parameter in the Flight::jsonp() function, allowing attackers to inject arbitrary JavaScript leading to cookie theft, session hijacking, and data exfiltration.

The default error handler in FlightPHP core writes the full exception message, exception code, and stack trace directly into the HTTP 500 response, disclosing sensitive information such as internal paths, secrets, and application structure.

Flight framework is vulnerable to SQL Injection; an attacker can inject arbitrary SQL by crafting malicious array keys due to SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() building SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting or validation, leading to privilege escalation, arbitrary column writes, data destruction, and exfiltration.