Security Audit v2.8.0

Language
- English
- Français
Login / Register

prod

Ibexa OSS 4.6

82 vulnerabilities has been found

6 abandonned packages has been found

Last analyse : 6 hours ago

No result.

82 vulnerabilities has been found

#	Total	C	H	M	L
Composer	51	0	15	12	5	0
Php	31	3	12	8	4	4

Composer

6 ibexa/admin-ui —— v4.6.7 +

high XSS in fields used in the Content name pattern

Affected versions : v4.0.0,v4.0.8|v4.1.0,v4.1.5|v4.2.0,v4.2.4|v4.3.0,v4.3.5|v4.4.0,v4.4.4|v4.5.0,v4.5.7|v4.6.0,v4.6.13
Patched versions : v4.6.14
https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates

Reported 11/28/24

IBEXA-SA-2024-006

high XSS vulnerabilities in back office

Affected versions : v4.6.0,v4.6.20
Patched versions : v4.6.21
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-003-xss-vulnerabilities-in-back-office

Reported 6/11/25

IBEXA-SA-2025-003

medium Ibexa Admin UI XSS vulnerabilities in back office

Affected versions : >=4.6.0-beta1,<4.6.21
Patched versions : 4.6.21
https://github.com/advisories/GHSA-5r6x-g6jv-4v87

Reported 6/13/25

medium ibexa/admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal

Affected versions : >=4.6.0,<4.6.25|>=5.0.0,<5.0.3
Patched versions : 5.0.3 4.6.25
https://github.com/advisories/GHSA-2mx6-fq24-g2mh

Reported 10/17/25

medium Ibexa Admin UI vulnerable to DOM-based Cross-site Scripting in file upload widget

Affected versions : >=4.6.0-beta1,<4.6.9
Patched versions : 4.6.9
https://github.com/advisories/GHSA-qm44-wjm2-pr59

Reported 7/31/24

CVE-2024-39318

medium Ibexa Admin UI vulnerable to Cross-site Scripting in a field that is used in the Content name pattern

Affected versions : >=4.6.0,<4.6.14
Patched versions : 4.6.14
https://github.com/advisories/GHSA-8w3p-gf85-qcch

Reported 12/2/24

CVE-2024-53864

6 ibexa/fieldtype-richtext —— v4.6.7 +

high XXE vulnerability in RichText

Affected versions : v4.6.0,v4.6.18
Patched versions : v4.6.19
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext

Reported 4/9/25

IBEXA-SA-2025-002

high XSS vulnerabilities in back office

Affected versions : v4.6.0,v4.6.20
Patched versions : v4.6.21
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-003-xss-vulnerabilities-in-back-office

Reported 6/11/25

IBEXA-SA-2025-003

high Persistent Cross-site Scripting in Ibexa RichText Field Type

Affected versions : >=4.6.0,<4.6.10
Patched versions : 4.6.10
https://github.com/advisories/GHSA-hvcf-6324-cjh7

Reported 8/14/24

CVE-2024-43369

high ibexa/fieldtype-richtext allows access to external entities in XML

Affected versions : >=4.6.0-beta1,<4.6.19
Patched versions : 4.6.19
https://github.com/advisories/GHSA-cj3w-g42v-wcj6

Reported 4/10/25

medium Ibexa RichText Field Type XSS vulnerabilities in back office

Affected versions : >=4.6.0-beta1,<4.6.21
Patched versions : 4.6.21
https://github.com/advisories/GHSA-9qv6-4pwm-m68f

Reported 6/13/25

medium ibexa/fieldtype-richtext has an XSS vulnerability via acronym custom tag in Rich Text

Affected versions : >=4.6.0,<4.6.25|>=5.0.0,<5.0.3
Patched versions : 5.0.3 4.6.25
https://github.com/advisories/GHSA-8c2g-f8jm-5cr7

Reported 10/17/25

12 twig/twig —— v3.10.3 +

high Twig has a possible sandbox bypass

Affected versions : >=3.0.0,<3.14.0|>=2.0.0,<2.16.1|>=1.0.0,<1.44.8
Patched versions : 1.44.8 2.16.1 3.14.0
https://github.com/advisories/GHSA-6j75-5wfj-gh66

Reported 9/9/24

CVE-2024-45411

`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name

Affected versions : >=3.9.0,<3.26.0
Patched versions :
https://symfony.com/cve-2026-46634

Reported 5/20/26

CVE-2026-46634

low Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1
Patched versions : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled

Reported 11/6/24

CVE-2024-51755

`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)

Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Patched versions :
https://symfony.com/cve-2026-46638

Reported 5/20/26

CVE-2026-46638

Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Patched versions :
https://symfony.com/cve-2026-47732

Reported 5/20/26

CVE-2026-47732

Possible sandbox bypass when using a source policy

Affected versions : >=2.16.0,<3.0.0|>=3.9.0,<3.26.0
Patched versions :
https://symfony.com/cve-2026-24425

Reported 5/20/26

CVE-2026-24425

PHP code injection via `{% use %}` template name

Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Patched versions :
https://symfony.com/cve-2026-46633

Reported 5/20/26

CVE-2026-46633

Sandbox does not protect against resource exhaustion

Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Patched versions :
https://symfony.com/cve-2026-46627

Reported 5/20/26

CVE-2026-46627

Sandbox property allowlist bypass via the `column` filter (array_column on objects)

Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Patched versions :
https://symfony.com/cve-2026-46635

Reported 5/20/26

CVE-2026-46635

The `spaceless` filter implicitly marks its output as safe

Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Patched versions :
https://symfony.com/cve-2026-46628

Reported 5/20/26

CVE-2026-46628

XSS in profiler HtmlDumper via unescaped template and profile names

Affected versions : >=3.0.0,<3.26.0
Patched versions :
https://symfony.com/cve-2026-47730

Reported 5/20/26

CVE-2026-47730

low Unguarded calls to __toString() when nesting an object into an array

Reported 11/6/24

CVE-2024-51754

2 symfony/http-foundation —— v5.4.40 +

high CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass

Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7
Patched versions : 5.4.50 6.4.29 7.3.7 5.4.50 6.4.29 7.3.7
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass

Reported 11/12/25

CVE-2025-64500

low CVE-2024-50345: Open redirect via browser-sanitized URLs

Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Patched versions : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50345

Reported 11/5/24

CVE-2024-50345

2 symfony/process —— v5.4.40 +

high CVE-2024-51736: Command execution hijack on Windows with Process class

Reported 11/5/24

CVE-2024-51736

medium Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows

Affected versions : >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51
Patched versions : 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5
https://github.com/advisories/GHSA-r39x-jcww-82v6

Reported 1/28/26

CVE-2026-24739

1 symfony/runtime —— v5.4.40 +

medium CVE-2024-50340: Ability to change environment from query

Affected versions : >=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Patched versions : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50340

Reported 11/5/24

CVE-2024-50340

1 symfony/http-client —— v5.4.40 +

low CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

Affected versions : >=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Patched versions : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50342

Reported 11/5/24

CVE-2024-50342

1 symfony/validator —— v5.4.40 +

low CVE-2024-50343: Incorrect response from Validator when input ends with ` `

Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4
Patched versions : 5.4.43 6.4.11 7.1.4 5.4.43 6.4.11 7.1.4
https://symfony.com/cve-2024-50343

Reported 8/30/24

CVE-2024-50343

2 symfony/security-http —— v5.4.40 +

high CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

Affected versions : >=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8
Patched versions : 5.4.47 6.4.15 7.1.8
https://symfony.com/cve-2024-51996

Reported 11/13/24

CVE-2024-51996

CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator

Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12
Patched versions :
https://symfony.com/cve-2026-45063

Reported 5/20/26

CVE-2026-45063

2 ibexa/http-cache —— v4.6.7 +

high BREACH vulnerability in varnish VCL and vhost templates

Reported 11/28/24

IBEXA-SA-2024-006

medium ibexa/http-cache affected by Breach with Varnish VCL

Affected versions : >=4.6.0,<4.6.14
Patched versions : 4.6.14
https://github.com/advisories/GHSA-fh7v-q458-7vmw

Reported 12/2/24

2 ibexa/post-install —— v4.6.7 +

high BREACH vulnerability in varnish VCL and vhost templates

Reported 11/28/24

IBEXA-SA-2024-006

medium ibexa/post-install affected by Breach with Varnish VCL

Affected versions : >=4.6.0,<4.6.14|>=1.0.0,<1.0.16
Patched versions : 1.0.16 4.6.14
https://github.com/advisories/GHSA-4h8f-c635-25p7

Reported 12/2/24

2 ibexa/admin-ui-assets —— v4.6.7 +

high XSS vulnerabilities in back office

Affected versions : v4.6.0,v4.6.20
Patched versions : v4.6.21
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-003-xss-vulnerabilities-in-back-office

Reported 6/11/25

IBEXA-SA-2025-003

medium Ibexa Admin UI assets XSS vulnerabilities in back office

Affected versions : >=4.6.0-alpha1,<4.6.21
Patched versions : 4.6.21
https://github.com/advisories/GHSA-vhgq-r8gx-5fpv

Reported 6/13/25

3 webonyx/graphql-php —— v14.11.10 +

high webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments

Affected versions : <15.32.2
Patched versions : 15.32.2
https://github.com/advisories/GHSA-fc86-6rv6-2jpm

Reported 5/4/26

high webonyx/graphql-php has unbounded recursion in parser that causes stack overflow on crafted nested input

Affected versions : <=15.32.2
Patched versions : 15.32.3
https://github.com/advisories/GHSA-r7cg-qjjm-xhqq

Reported 5/5/26

medium graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation

Affected versions : <=15.31.4
Patched versions : 15.31.5
https://github.com/advisories/GHSA-68jq-c3rv-pcrr

Reported 4/14/26

1 twig/intl-extra —— v3.10.0 +

Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments

Affected versions : >=2.12.0,<3.0.0|>=3.0.0,<3.26.0
Patched versions :
https://symfony.com/cve-2026-46629

Reported 5/20/26

CVE-2026-46629

1 symfony/cache —— v5.4.40 +

CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix

Reported 5/20/26

CVE-2026-45073

2 symfony/mime —— v5.4.40 +

CVE-2026-45067: Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address

Reported 5/20/26

CVE-2026-45067

CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names

Reported 5/20/26

CVE-2026-45070

1 symfony/monolog-bridge —— v5.4.40 +

CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener

Reported 5/20/26

CVE-2026-45077

1 symfony/routing —— v5.4.40 +

CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection

Reported 5/20/26

CVE-2026-45065

3 symfony/yaml —— v5.4.40 +

CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings

Reported 5/20/26

CVE-2026-45133

CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex

Reported 5/20/26

CVE-2026-45305

CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")

Reported 5/20/26

CVE-2026-45304

Php

31 PHP —— 8.3.8 +

critical In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

* [https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv](https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv)

Reported 11/24/24

CVE-2024-11236

critical In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

* [https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff](https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff)
* [https://security.netapp.com/advisory/ntap-20250523-0005/](https://security.netapp.com/advisory/ntap-20250523-0005/)

Reported 3/30/25

CVE-2025-1861

critical In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

* [https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5](https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5)

Reported 5/10/26

CVE-2026-6722

high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.

* [https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43](https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43)

Reported 11/24/24

CVE-2024-11233

high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

* [https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2](https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2)

Reported 11/24/24

CVE-2024-11234

high In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Affected versions : 8.3.0|8.3.18,8.4.0|8.4.5
Patched versions :
* [https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477](https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477)
* [https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477](https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477)

Reported 4/4/25

CVE-2024-11235

high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

* [https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq](https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq)

Reported 10/8/24

CVE-2024-8926

high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

* [https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp](https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp)

Reported 10/8/24

CVE-2024-8927

high In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7](https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7)

Reported 12/27/25

CVE-2025-14177

high In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2](https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2)

Reported 12/27/25

CVE-2025-14178

high In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

* [https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm](https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm)

Reported 5/10/26

CVE-2025-14179

high In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj](https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj)

Reported 12/27/25

CVE-2025-14180

high In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.

* [https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3](https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3)

Reported 7/13/25

CVE-2025-1735

high In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

* [https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528](https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528)
* [https://security.netapp.com/advisory/ntap-20250523-0006/](https://security.netapp.com/advisory/ntap-20250523-0006/)

Reported 3/30/25

CVE-2025-1736

high In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

* [https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv](https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv)

Reported 5/10/26

CVE-2026-6735

medium The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.

* [http://osvdb.org/39834](http://osvdb.org/39834)
* [http://securityreason.com/securityalert/2800](http://securityreason.com/securityalert/2800)
* [http://www.acid-root.new.fr/advisories/14070612.txt](http://www.acid-root.new.fr/advisories/14070612.txt)
* [http://www.securityfocus.com/archive/1/471178/100/0/threaded](http://www.securityfocus.com/archive/1/471178/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471204/100/0/threaded](http://www.securityfocus.com/archive/1/471204/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471275/100/0/threaded](http://www.securityfocus.com/archive/1/471275/100/0/threaded)
* [https://exchange.xforce.ibmcloud.com/vulnerabilities/34836](https://exchange.xforce.ibmcloud.com/vulnerabilities/34836)

Reported 6/13/07

CVE-2007-3205

medium In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

* [https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32](https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32)

Reported 10/8/24

CVE-2024-8925

medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

Affected versions : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4
Patched versions :
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)

Reported 3/30/25

CVE-2025-1219

medium In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.

* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)
* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)

Reported 7/13/25

CVE-2025-1220

medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

* [https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44](https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44)
* [https://security.netapp.com/advisory/ntap-20250523-0009/](https://security.netapp.com/advisory/ntap-20250523-0009/)

Reported 3/30/25

CVE-2025-1734

medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.

* [https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4](https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4)

Reported 5/10/26

CVE-2026-7258

medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.

* [https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q](https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q)

Reported 5/10/26

CVE-2026-7261

medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.

* [https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57](https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57)

Reported 5/10/26

CVE-2026-7568

low In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

* [https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5](https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5)

Reported 10/8/24

CVE-2024-9026

low In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.

Affected versions : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4
Patched versions :
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)

Reported 3/29/25

CVE-2025-1217

low In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().

* [https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75](https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75)

Reported 5/10/26

CVE-2026-7259

low In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

* [https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv](https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv)

Reported 5/10/26

CVE-2026-7262

unassigned A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)

Reported 4/10/24

CVE-2024-3566

unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.

* [https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678](https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678)
* [https://security.netapp.com/advisory/ntap-20250110-0008/](https://security.netapp.com/advisory/ntap-20250110-0008/)

Reported 11/22/24

CVE-2024-8929

unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

* [https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff](https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff)
* [https://security.netapp.com/advisory/ntap-20250110-0009/](https://security.netapp.com/advisory/ntap-20250110-0009/)

Reported 11/22/24

CVE-2024-8932

unassigned In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)
* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)

Reported 7/13/25

CVE-2025-6491

6 abandonned packages has been found

Abandoned package	Suggested replacement
sensio/framework-extra-bundle	Symfony
php-http/message-factory	psr/http-factory
platformsh/symfonyflex-bridge	None
swiftmailer/swiftmailer	symfony/mailer
symfony/swiftmailer-bundle	symfony/mailer
php-http/guzzle6-adapter	guzzlehttp/guzzle or php-http/guzzle7-adapter

Summary Possible update

Your version is Ibexa 4.6

Your version is Php 7.4

Your version is Symfony 5.4

Badge

[![Vulnerabilities](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=vulnerabilities)](https://audit.security.code-rhapsodie.fr/en/project/018fdea7-1ba2-7bdf-abab-51452e155926)

[![Vulnerabilities](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=vulnerabilities&version=little)](https://audit.security.code-rhapsodie.fr/en/project/018fdea7-1ba2-7bdf-abab-51452e155926)

[![Abandonned](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=abandonned)](https://audit.security.code-rhapsodie.fr/en/project/018fdea7-1ba2-7bdf-abab-51452e155926)

[![Abandonned](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=abandonned&version=little)](https://audit.security.code-rhapsodie.fr/en/project/018fdea7-1ba2-7bdf-abab-51452e155926)