prod
Prestashop 8.1.6
105 vulnérabilités ont été trouvés
3 paquets abandonnés ont été trouvés
Dernière analyse : il y a 1 heure
Pas de résultat.
105 vulnérabilités ont été trouvés
| # | Total | C | H | M | L | |
|---|---|---|---|---|---|---|
| Composer | 64 | 0 | 21 | 20 | 5 | 0 |
| Prestashop/prestashop | 5 | 0 | 1 | 3 | 1 | 0 |
| Php | 36 | 4 | 12 | 10 | 4 | 6 |
Composer
1 league/oauth2-server —— 8.3.5 +
high league/oauth2-server key exposed in exception message when passing as a string and providing an invalid pass phrase
Versions affectées : >=8.5.0,<8.5.3|>=8.3.2,<8.4.2Versions patchées : 8.4.2 8.5.3
https://github.com/advisories/GHSA-wj7q-gjg8-3cpm
Signalée 06/07/2023
CVE-2023-37260
18 symfony/symfony —— v4.4.50 +
high CVE-2024-51736: Command execution hijack on Windows with Process class
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-51736
Signalée 05/11/2024
CVE-2024-51736
high CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7Versions patchées : 5.4.50 6.4.29 7.3.7 5.4.50 6.4.29 7.3.7
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
Signalée 12/11/2025
CVE-2025-64500
medium Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
Versions affectées : >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51Versions patchées : 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5
https://github.com/advisories/GHSA-r39x-jcww-82v6
Signalée 28/01/2026
CVE-2026-24739
medium CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters
Versions affectées : >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.51|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.3.8Versions patchées : 4.4.51 5.4.31 6.3.8 4.4.51 5.4.31 6.3.8
https://symfony.com/cve-2023-46734
Signalée 10/11/2023
CVE-2023-46734
CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45077
Signalée 20/05/2026
CVE-2026-45077
low CVE-2024-50343: Incorrect response from Validator when input ends with ` `
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4Versions patchées : 5.4.43 6.4.11 7.1.4 5.4.43 6.4.11 7.1.4
https://symfony.com/cve-2024-50343
Signalée 30/08/2024
CVE-2024-50343
CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45073
Signalée 20/05/2026
CVE-2026-45073
CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45304
Signalée 20/05/2026
CVE-2026-45304
CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45065
Signalée 20/05/2026
CVE-2026-45065
CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45068
Signalée 20/05/2026
CVE-2026-45068
CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45071
Signalée 20/05/2026
CVE-2026-45071
CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45305
Signalée 20/05/2026
CVE-2026-45305
CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45070
Signalée 20/05/2026
CVE-2026-45070
low CVE-2024-50345: Open redirect via browser-sanitized URLs
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50345
Signalée 05/11/2024
CVE-2024-50345
low CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient
Versions affectées : >=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50342
Signalée 05/11/2024
CVE-2024-50342
CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45133
Signalée 20/05/2026
CVE-2026-45133
CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45063
Signalée 20/05/2026
CVE-2026-45063
CVE-2026-45067: Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45067
Signalée 20/05/2026
CVE-2026-45067
high TCPDF missing certificate validation
Versions affectées : <6.8.0Versions patchées : 6.8.0
https://github.com/advisories/GHSA-9mgx-552f-59p6
Signalée 27/12/2024
CVE-2024-56521
medium TCPDF Local File Inclusion vulnerability
Versions affectées : <=6.7.5Versions patchées : 6.7.6
https://github.com/advisories/GHSA-rmv2-8jjc-23xw
Signalée 26/11/2024
CVE-2024-51058
medium TCPDF Cross-site Scripting vulnerability
Versions affectées : <6.7.4Versions patchées : 6.7.4
https://github.com/advisories/GHSA-g9wg-98c2-qv3v
Signalée 15/04/2024
CVE-2024-32489
medium TCPDF vulnerable to Regular Expression Denial of Service
Versions affectées : <=6.7.4Versions patchées :
https://github.com/advisories/GHSA-mx3p-fhpw-x6rv
Signalée 19/04/2024
CVE-2024-22640
medium TCPDF lacks SVG sanitization
Versions affectées : <6.8.0Versions patchées : 6.8.0
https://github.com/advisories/GHSA-4p8j-vhjm-6pvw
Signalée 27/12/2024
CVE-2024-56519
medium TCPDF has incorrect comparison
Versions affectées : <6.8.0Versions patchées : 6.8.0
https://github.com/advisories/GHSA-w95c-7994-ghpr
Signalée 27/12/2024
CVE-2024-56522
medium TCPDF missing character escape on error messages
Versions affectées : <6.8.0Versions patchées : 6.8.0
https://github.com/advisories/GHSA-qx95-cwh6-9mvq
Signalée 27/12/2024
CVE-2024-56527
high Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag
Versions affectées : >=3.0.0,<4.5.3|>=5.0.0,<5.1.1Versions patchées : 5.1.1 4.5.3
https://github.com/advisories/GHSA-4rmg-292m-wg3w
Signalée 29/05/2024
CVE-2024-35226
24 phpoffice/phpspreadsheet —— 1.19.0 +
high PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file
Versions affectées : >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0Versions patchées : 3.7.0 1.29.7 2.1.6 2.3.5
https://github.com/advisories/GHSA-c6fv-7vh8-2rhr
Signalée 03/01/2025
CVE-2024-56366
high PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser
Versions affectées : >=4.0.0,<5.0.0|>=3.0.0,<3.10.0|>=2.2.0,<2.4.0|>=2.0.0,<2.1.12|<1.30.0Versions patchées : 1.30.0 2.1.12 2.4.0 3.10.0 5.0.0
https://github.com/advisories/GHSA-rx7m-68vc-ppxh
Signalée 25/08/2025
CVE-2025-54370
high PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
Versions affectées : <=1.30.2|>=2.0.0,<=2.1.14|>=2.2.0,<=2.4.3|>=3.3.0,<=3.10.3|>=4.0.0,<=5.5.0Versions patchées : 5.6.0 3.10.4 2.4.4 2.1.15 1.30.3
https://github.com/advisories/GHSA-q4q6-r8wh-5cgh
Signalée 29/04/2026
CVE-2026-34084
high PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
Versions affectées : >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0Versions patchées : 3.7.0 1.29.7 2.1.6 2.3.5
https://github.com/advisories/GHSA-x88g-h956-m5xg
Signalée 03/01/2025
CVE-2024-56408
high XmlScanner bypass leads to XXE
Versions affectées : >=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4Versions patchées : 1.29.4 2.1.3 2.3.2 3.4.0
https://github.com/advisories/GHSA-jw4x-v69f-hh5w
Signalée 18/11/2024
CVE-2024-47873
high XXE in PHPSpreadsheet's XLSX reader
Versions affectées : >=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4Versions patchées : 1.29.4 2.1.3 2.3.2 3.4.0
https://github.com/advisories/GHSA-7cc9-j4mv-vcjp
Signalée 18/11/2024
CVE-2024-48917
high PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions
Versions affectées : <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0Versions patchées : 5.7.0 3.10.5 2.4.5 2.1.16 1.30.4
https://github.com/advisories/GHSA-7c6m-4442-2x6m
Signalée 29/04/2026
CVE-2026-40902
high PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class
Versions affectées : >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0Versions patchées : 3.7.0 1.29.7 2.1.6 2.3.5
https://github.com/advisories/GHSA-jmpx-686v-c3wx
Signalée 03/01/2025
CVE-2024-56365
high XXE in PHPSpreadsheet's XLSX reader
Versions affectées : >=2.0.0,<2.1.1|<1.29.1|>=2.2.0,<2.3.0Versions patchées : 2.3.0 1.29.1 2.1.1
https://github.com/advisories/GHSA-6hwr-6v2f-3m88
Signalée 07/10/2024
CVE-2024-45293
high PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader
Versions affectées : <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0Versions patchées : 5.7.0 3.10.5 2.4.5 2.1.16 1.30.4
https://github.com/advisories/GHSA-84wq-86v6-x5j6
Signalée 29/04/2026
CVE-2026-40863
high PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file
Versions affectées : >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0Versions patchées : 2.3.0 1.29.2 2.1.1
https://github.com/advisories/GHSA-5gpr-w2p5-6m37
Signalée 07/10/2024
CVE-2024-45290
high XXE in PHPSpreadsheet encoding is returned
Versions affectées : <2.2.1Versions patchées : 2.2.1
https://github.com/advisories/GHSA-ghg6-32f9-2jp7
Signalée 29/08/2024
CVE-2024-45048
high PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
Versions affectées : >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0Versions patchées : 3.7.0 1.29.7 2.1.6 2.3.5
https://github.com/advisories/GHSA-j2xg-cjcx-4677
Signalée 03/01/2025
CVE-2024-56409
medium PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties
Versions affectées : >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0Versions patchées : 3.7.0 1.29.7 2.1.6 2.3.5
https://github.com/advisories/GHSA-wv23-996v-q229
Signalée 03/01/2025
CVE-2024-56410
medium PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled
Versions affectées : >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0Versions patchées : 2.3.0 1.29.2 2.1.1
https://github.com/advisories/GHSA-w9xv-qf98-ccq4
Signalée 07/10/2024
CVE-2024-45291
medium PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters
Versions affectées : >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0Versions patchées : 3.7.0 1.29.7 2.1.6 2.3.5
https://github.com/advisories/GHSA-q9jv-mm3r-j47r
Signalée 03/01/2025
CVE-2024-56412
medium PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters
Versions affectées : >=2.0.0,<2.1.8|>=2.2.0,<2.3.7|<1.29.9|>=3.0.0,<3.9.0Versions patchées : 3.9.0 1.29.9 2.3.7 2.1.8
https://github.com/advisories/GHSA-r57h-547h-w24f
Signalée 03/02/2025
CVE-2025-23210
medium PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file
Versions affectées : >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0Versions patchées : 2.3.0 1.29.2 2.1.1
https://github.com/advisories/GHSA-v66g-p9x6-v98p
Signalée 07/10/2024
CVE-2024-45060
medium PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer
Versions affectées : <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0Versions patchées : 5.7.0 3.10.5 2.4.5 2.1.16 1.30.4
https://github.com/advisories/GHSA-hrmw-qprp-wgmc
Signalée 28/04/2026
CVE-2026-40296
medium PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer
Versions affectées : <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0Versions patchées : 5.7.0 3.10.5 2.4.5 2.1.16 1.30.4
https://github.com/advisories/GHSA-6wpp-88cp-7q68
Signalée 28/04/2026
CVE-2026-35453
medium PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
Versions affectées : <2.1.0Versions patchées : 2.1.0
https://github.com/advisories/GHSA-wgmf-q9vr-vww6
Signalée 29/08/2024
CVE-2024-45046
medium PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header
Versions affectées : >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0Versions patchées : 3.7.0 1.29.7 2.1.6 2.3.5
https://github.com/advisories/GHSA-hwcp-2h35-p66w
Signalée 03/01/2025
CVE-2024-56411
medium PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks
Versions affectées : >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0Versions patchées : 2.3.0 1.29.2 2.1.1
https://github.com/advisories/GHSA-r8w8-74ww-j4wh
Signalée 07/10/2024
CVE-2024-45292
medium Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
Versions affectées : >=2.2.0,<2.3.6|>=2.0.0,<2.1.7|<1.29.8|>=3.0.0,<3.8.0Versions patchées : 3.8.0 1.29.8 2.1.7 2.3.6
https://github.com/advisories/GHSA-79xx-vf93-p7cx
Signalée 21/01/2025
CVE-2025-22131
high Twig has a possible sandbox bypass
Versions affectées : >=3.0.0,<3.14.0|>=2.0.0,<2.16.1|>=1.0.0,<1.44.8Versions patchées : 1.44.8 2.16.1 3.14.0
https://github.com/advisories/GHSA-6j75-5wfj-gh66
Signalée 09/09/2024
CVE-2024-45411
low Unguarded calls to __isset() and to array-accesses when the sandbox is enabled
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1Versions patchées : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled
Signalée 06/11/2024
CVE-2024-51755
`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46638
Signalée 20/05/2026
CVE-2026-46638
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-47732
Signalée 20/05/2026
CVE-2026-47732
PHP code injection via `{% use %}` template name
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46633
Signalée 20/05/2026
CVE-2026-46633
Sandbox does not protect against resource exhaustion
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46627
Signalée 20/05/2026
CVE-2026-46627
Sandbox property allowlist bypass via the `column` filter (array_column on objects)
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46635
Signalée 20/05/2026
CVE-2026-46635
The `spaceless` filter implicitly marks its output as safe
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46628
Signalée 20/05/2026
CVE-2026-46628
XSS in profiler HtmlDumper via unescaped template and profile names
Versions affectées : >=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-47730
Signalée 20/05/2026
CVE-2026-47730
low Unguarded calls to __toString() when nesting an object into an array
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1Versions patchées : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array
Signalée 06/11/2024
CVE-2024-51754
1 prestashop/ps_contactinfo —— v3.3.2 +
medium ps_contactinfo has a potential XSS due to usage of the nofilter tag in template
Versions affectées : <=3.3.2Versions patchées : 3.3.3
https://github.com/advisories/GHSA-35pq-7pv2-2rfw
Signalée 22/01/2025
CVE-2025-24027
2 api-platform/core —— v2.7.11 +
high GraphQL query operations security can be bypassed
Versions affectées : <4.0.22Versions patchées : 4.0.22 4.0.22
https://github.com/advisories/GHSA-cg3c-245w-728m
Signalée 04/04/2025
CVE-2025-31481
high GraphQL grant on a property might be cached with different objects
Versions affectées : <4.0.22Versions patchées : 4.0.22 4.0.22
https://github.com/advisories/GHSA-428q-q3vv-3fq3
Signalée 04/04/2025
CVE-2025-31485
Prestashop/prestashop
5 prestashop/prestashop —— 8.1.6 +
high An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server).
* [https://github.com/Fckroun/CVE-2024-41651/tree/main](https://github.com/Fckroun/CVE-2024-41651/tree/main)
Signalée 12/08/2024
CVE-2024-41651
medium PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.
* [https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4](https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4)
* [https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3](https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3)
* [https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2](https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2)
Signalée 06/02/2026
CVE-2026-25597
medium PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
* [https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5](https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5)
* [https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0](https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0)
* [https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv](https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv)
Signalée 26/03/2026
CVE-2026-33673
medium PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
* [https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5](https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5)
* [https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0](https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0)
* [https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-283w-xf3q-788v](https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-283w-xf3q-788v)
Signalée 26/03/2026
CVE-2026-33674
low An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.
* [https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.1](https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.1)
* [https://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md](https://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md)
* [https://prestashop.com/](https://prestashop.com/)
Signalée 08/09/2025
CVE-2025-51586
Php
critical In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
* [https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv](https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv)
Signalée 24/11/2024
CVE-2024-11236
critical In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
* [https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv](https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv)
* [https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html](https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html)
* [https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/](https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/)
* [https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/](https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/)
* [https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/](https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/)
* [https://github.com/11whoami99/CVE-2024-4577](https://github.com/11whoami99/CVE-2024-4577)
* [https://github.com/xcanwin/CVE-2024-4577-PHP-RCE](https://github.com/xcanwin/CVE-2024-4577-PHP-RCE)
* [https://github.com/rapid7/metasploit-framework/pull/19247](https://github.com/rapid7/metasploit-framework/pull/19247)
* [https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/](https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/)
* [https://github.com/watchtowrlabs/CVE-2024-4577](https://github.com/watchtowrlabs/CVE-2024-4577)
* [https://www.php.net/ChangeLog-8.php#8.1.29](https://www.php.net/ChangeLog-8.php#8.1.29)
* [https://www.php.net/ChangeLog-8.php#8.2.20](https://www.php.net/ChangeLog-8.php#8.2.20)
* [https://www.php.net/ChangeLog-8.php#8.3.8](https://www.php.net/ChangeLog-8.php#8.3.8)
* [https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately](https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately)
* [https://isc.sans.edu/diary/30994](https://isc.sans.edu/diary/30994)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://security.netapp.com/advisory/ntap-20240621-0008/](https://security.netapp.com/advisory/ntap-20240621-0008/)
Signalée 09/06/2024
CVE-2024-4577
critical In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
* [https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff](https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff)
* [https://security.netapp.com/advisory/ntap-20250523-0005/](https://security.netapp.com/advisory/ntap-20250523-0005/)
Signalée 30/03/2025
CVE-2025-1861
critical In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
* [https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5](https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5)
Signalée 10/05/2026
CVE-2026-6722
high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.
* [https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43](https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43)
Signalée 24/11/2024
CVE-2024-11233
high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
* [https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2](https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2)
Signalée 24/11/2024
CVE-2024-11234
high In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
* [https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385](https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
Signalée 09/06/2024
CVE-2024-5585
high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
* [https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq](https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq)
Signalée 08/10/2024
CVE-2024-8926
high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
* [https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp](https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp)
Signalée 08/10/2024
CVE-2024-8927
high In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
* [https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7](https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7)
Signalée 27/12/2025
CVE-2025-14177
high In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
* [https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2](https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2)
Signalée 27/12/2025
CVE-2025-14178
high In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
* [https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm](https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm)
Signalée 10/05/2026
CVE-2025-14179
high In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
* [https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj](https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj)
Signalée 27/12/2025
CVE-2025-14180
high In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.
* [https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3](https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3)
Signalée 13/07/2025
CVE-2025-1735
high In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
* [https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528](https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528)
* [https://security.netapp.com/advisory/ntap-20250523-0006/](https://security.netapp.com/advisory/ntap-20250523-0006/)
Signalée 30/03/2025
CVE-2025-1736
high In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
* [https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv](https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv)
Signalée 10/05/2026
CVE-2026-6735
medium The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.
* [http://osvdb.org/39834](http://osvdb.org/39834)
* [http://securityreason.com/securityalert/2800](http://securityreason.com/securityalert/2800)
* [http://www.acid-root.new.fr/advisories/14070612.txt](http://www.acid-root.new.fr/advisories/14070612.txt)
* [http://www.securityfocus.com/archive/1/471178/100/0/threaded](http://www.securityfocus.com/archive/1/471178/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471204/100/0/threaded](http://www.securityfocus.com/archive/1/471204/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471275/100/0/threaded](http://www.securityfocus.com/archive/1/471275/100/0/threaded)
* [https://exchange.xforce.ibmcloud.com/vulnerabilities/34836](https://exchange.xforce.ibmcloud.com/vulnerabilities/34836)
Signalée 13/06/2007
CVE-2007-3205
medium The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.
* [https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864](https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
Signalée 09/06/2024
CVE-2024-2408
medium In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
* [https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w](https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html](https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html)
Signalée 09/06/2024
CVE-2024-5458
medium In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.
* [https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32](https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32)
Signalée 08/10/2024
CVE-2024-8925
medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
Versions affectées : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)
Signalée 30/03/2025
CVE-2025-1219
medium In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)
* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)
Signalée 13/07/2025
CVE-2025-1220
medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
* [https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44](https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44)
* [https://security.netapp.com/advisory/ntap-20250523-0009/](https://security.netapp.com/advisory/ntap-20250523-0009/)
Signalée 30/03/2025
CVE-2025-1734
medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
* [https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4](https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4)
Signalée 10/05/2026
CVE-2026-7258
medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
* [https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q](https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q)
Signalée 10/05/2026
CVE-2026-7261
medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
* [https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57](https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57)
Signalée 10/05/2026
CVE-2026-7568
low In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
* [https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5](https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5)
Signalée 08/10/2024
CVE-2024-9026
low In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
Versions affectées : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)
Signalée 29/03/2025
CVE-2025-1217
low In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
* [https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75](https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75)
Signalée 10/05/2026
CVE-2026-7259
low In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
* [https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv](https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv)
Signalée 10/05/2026
CVE-2026-7262
unassigned In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7](https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7)
* [https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7](https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://security.netapp.com/advisory/ntap-20240510-0009/](https://security.netapp.com/advisory/ntap-20240510-0009/)
* [https://security.netapp.com/advisory/ntap-20240510-0009/](https://security.netapp.com/advisory/ntap-20240510-0009/)
* [https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585](https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585)
Signalée 29/04/2024
CVE-2024-1874
unassigned In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr](https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr)
* [https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr](https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html)
* [https://security.netapp.com/advisory/ntap-20240510-0010/](https://security.netapp.com/advisory/ntap-20240510-0010/)
* [https://security.netapp.com/advisory/ntap-20240510-0010/](https://security.netapp.com/advisory/ntap-20240510-0010/)
Signalée 29/04/2024
CVE-2024-3096
unassigned A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)
Signalée 10/04/2024
CVE-2024-3566
unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.
* [https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678](https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678)
* [https://security.netapp.com/advisory/ntap-20250110-0008/](https://security.netapp.com/advisory/ntap-20250110-0008/)
Signalée 22/11/2024
CVE-2024-8929
unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
* [https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff](https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff)
* [https://security.netapp.com/advisory/ntap-20250110-0009/](https://security.netapp.com/advisory/ntap-20250110-0009/)
Signalée 22/11/2024
CVE-2024-8932
unassigned In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.
* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)
* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)
Signalée 13/07/2025
CVE-2025-6491
3 paquets abandonnés ont été trouvés
| Paquet abandonné | Remplacement suggéré |
|---|---|
| swiftmailer/swiftmailer | symfony/mailer |
| symfony/swiftmailer-bundle | symfony/mailer |
| sensio/framework-extra-bundle | Symfony |
Share
Badge
[](https://audit.security.code-rhapsodie.fr/fr/project/018f85c8-261e-7b77-b73b-fcb17e7205d3)
[](https://audit.security.code-rhapsodie.fr/fr/project/018f85c8-261e-7b77-b73b-fcb17e7205d3)
[](https://audit.security.code-rhapsodie.fr/fr/project/018f85c8-261e-7b77-b73b-fcb17e7205d3)
[](https://audit.security.code-rhapsodie.fr/fr/project/018f85c8-261e-7b77-b73b-fcb17e7205d3)