Composer

An unauthenticated attacker can exploit a vulnerability in the PHP JWT Library's PBES2AESKW::unwrapKey() function when processing JWE tokens that use PBES2-HS*+A*KW algorithms by crafting a JWE with an excessively large 'p2c' (PBKDF2 iteration count) parameter in the JOSE header, forcing the server to perform an unbounded and CPU-intensive PBKDF2 computation, resulting in a CPU-amplification denial of service.

A Time-of-Check/Time-of-Use (TOCTOU) vulnerability exists in the `JWSVerifier` and `JWEDecrypter` components of the `web-token/jwt-framework` and `web-token/jwt-library` PHP packages, allowing an attacker to override the integrity-protected `alg` parameter from the unprotected header, leading to authentication bypass and unauthorized access.

Koel is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of podcast episode enclosure URLs, allowing a remote attacker to inject a malicious URL into the enclosure field of a podcast RSS feed, leading to internal network reconnaissance and potential credential theft; this issue is tracked as CVE-2026-47260.

A vulnerability in Twig versions 3.15.0 to 3.26.0 (CVE-2026-46640) allows arbitrary PHP code execution via the `_self.(<string>)` macro-reference compilation, enabling attackers to inject and execute arbitrary PHP code by supplying malicious template source, bypassing the SandboxExtension.

A code injection vulnerability (CVE-2026-46633) exists in Twig versions prior to 3.26.0, where a single quote in the `{% use %}` template name is not properly escaped, allowing arbitrary PHP code execution by bypassing the Twig sandbox.

AVideo's Meet plugin contains an authorization bypass vulnerability in the `uploadRecordedVideo.json.php` endpoint that derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin.

A path traversal vulnerability in SimpleSAMLphp's casserver module allows remote attackers to read and potentially delete arbitrary files outside the ticket directory by manipulating the ticket parameter in CAS validation requests, impacting confidentiality and integrity.

CoreShop is vulnerable to remote code execution (RCE) via insecure `pull_request_target` configuration, allowing attackers to execute arbitrary code on the GitHub Actions runner by submitting a malicious pull request and potentially exfiltrate secrets or modify repository contents; tracked as CVE-2026-41249.

MantisBT is vulnerable to stored cross-site scripting (XSS) via file_download.php by using the `show_inline=1` parameter with a valid CSRF token to upload a crafted XHTML attachment referencing a JavaScript attachment, leading to arbitrary code execution.

The CI4MS Backup restore function is vulnerable to Zip Slip, allowing remote code execution by uploading a malicious ZIP archive that writes PHP files to the public web root due to missing validation of entry names during extraction, affecting versions prior to 0.31.5.0.

CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to remote code execution; an authenticated backend user with theme upload permissions can upload a crafted ZIP file containing a PHP file, which is then installed into the web-accessible public directory without filtering, allowing direct execution via HTTP.

A vulnerability in FlightPHP core versions before 3.18.1 allows attackers to override HTTP methods via the `X-HTTP-Method-Override` header or `_method` parameter, leading to CSRF escalation, middleware bypass, and cache poisoning.

A reflected XSS vulnerability exists in FlightPHP versions prior to 3.18.1 due to improper validation of the jsonp query parameter in the Flight::jsonp() function, allowing attackers to inject arbitrary JavaScript leading to cookie theft, session hijacking, and data exfiltration.

A logic error in Admidio's two-factor authentication reset inverts the authorization check, allowing non-admin users to remove other users' TOTP, including administrators, reducing their security to password-only authentication in versions 5.0.8 and earlier.

The default error handler in FlightPHP core writes the full exception message, exception code, and stack trace directly into the HTTP 500 response, disclosing sensitive information such as internal paths, secrets, and application structure.

Scramble versions 0.13.2 through 0.13.21 are vulnerable to remote code execution due to the evaluation of user-controlled input in validation rules during documentation generation, potentially allowing attackers to execute arbitrary PHP code.

Flight framework is vulnerable to SQL Injection; an attacker can inject arbitrary SQL by crafting malicious array keys due to SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() building SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting or validation, leading to privilege escalation, arbitrary column writes, data destruction, and exfiltration.

AzuraCast is vulnerable to path traversal in the Flow.js media upload endpoint, allowing authenticated users with media permissions to write arbitrary files, leading to remote code execution via PHP webshell upload.

AzuraCast is vulnerable to password reset poisoning due to unconditionally trusting the X-Forwarded-Host header, allowing an attacker to inject a malicious host into the password reset URL, exfiltrate the reset token, reset the victim's password, and disable 2FA, leading to account takeover.

A critical vulnerability exists in ci4ms Theme::upload, where improper validation of ZIP archive entry names allows authenticated users with theme creation permissions to write files to arbitrary locations, leading to remote code execution.