Security Audit v2.9.4

Langue
- English
- Français
Connexion / Inscription

prod

Ibexa OSS 4.6

96 vulnérabilités ont été trouvés

6 paquets abandonnés ont été trouvés

Dernière analyse : il y a 18 heures

Pas de résultat.

96 vulnérabilités ont été trouvés

#	Total	C	H	M	L
Composer	65	0	15	17	5	0
Php	31	3	12	8	4	4

Composer

6 ibexa/admin-ui —— v4.6.7 +

high XSS in fields used in the Content name pattern

Versions affectées : v4.0.0,v4.0.8|v4.1.0,v4.1.5|v4.2.0,v4.2.4|v4.3.0,v4.3.5|v4.4.0,v4.4.4|v4.5.0,v4.5.7|v4.6.0,v4.6.13
Versions patchées : v4.6.14
https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates

Signalée 28/11/2024

IBEXA-SA-2024-006

high XSS vulnerabilities in back office

Versions affectées : v4.6.0,v4.6.20
Versions patchées : v4.6.21
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-003-xss-vulnerabilities-in-back-office

Signalée 11/06/2025

IBEXA-SA-2025-003

medium Ibexa Admin UI XSS vulnerabilities in back office

Versions affectées : >=4.6.0-beta1,<4.6.21
Versions patchées : 4.6.21
https://github.com/advisories/GHSA-5r6x-g6jv-4v87

Signalée 13/06/2025

medium ibexa/admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal

Versions affectées : >=4.6.0,<4.6.25|>=5.0.0,<5.0.3
Versions patchées : 5.0.3 4.6.25
https://github.com/advisories/GHSA-2mx6-fq24-g2mh

Signalée 17/10/2025

medium Ibexa Admin UI vulnerable to DOM-based Cross-site Scripting in file upload widget

Versions affectées : >=4.6.0-beta1,<4.6.9
Versions patchées : 4.6.9
https://github.com/advisories/GHSA-qm44-wjm2-pr59

Signalée 31/07/2024

CVE-2024-39318

medium Ibexa Admin UI vulnerable to Cross-site Scripting in a field that is used in the Content name pattern

Versions affectées : >=4.6.0,<4.6.14
Versions patchées : 4.6.14
https://github.com/advisories/GHSA-8w3p-gf85-qcch

Signalée 02/12/2024

CVE-2024-53864

6 ibexa/fieldtype-richtext —— v4.6.7 +

high XXE vulnerability in RichText

Versions affectées : v4.6.0,v4.6.18
Versions patchées : v4.6.19
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext

Signalée 09/04/2025

IBEXA-SA-2025-002

high XSS vulnerabilities in back office

Versions affectées : v4.6.0,v4.6.20
Versions patchées : v4.6.21
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-003-xss-vulnerabilities-in-back-office

Signalée 11/06/2025

IBEXA-SA-2025-003

high Persistent Cross-site Scripting in Ibexa RichText Field Type

Versions affectées : >=4.6.0,<4.6.10
Versions patchées : 4.6.10
https://github.com/advisories/GHSA-hvcf-6324-cjh7

Signalée 14/08/2024

CVE-2024-43369

high ibexa/fieldtype-richtext allows access to external entities in XML

Versions affectées : >=4.6.0-beta1,<4.6.19
Versions patchées : 4.6.19
https://github.com/advisories/GHSA-cj3w-g42v-wcj6

Signalée 10/04/2025

medium Ibexa RichText Field Type XSS vulnerabilities in back office

Versions affectées : >=4.6.0-beta1,<4.6.21
Versions patchées : 4.6.21
https://github.com/advisories/GHSA-9qv6-4pwm-m68f

Signalée 13/06/2025

medium ibexa/fieldtype-richtext has an XSS vulnerability via acronym custom tag in Rich Text

Versions affectées : >=4.6.0,<4.6.25|>=5.0.0,<5.0.3
Versions patchées : 5.0.3 4.6.25
https://github.com/advisories/GHSA-8c2g-f8jm-5cr7

Signalée 17/10/2025

17 twig/twig —— v3.10.3 +

high Twig has a possible sandbox bypass

Versions affectées : >=3.0.0,<3.14.0|>=2.0.0,<2.16.1|>=1.0.0,<1.44.8
Versions patchées : 1.44.8 2.16.1 3.14.0
https://github.com/advisories/GHSA-6j75-5wfj-gh66

Signalée 09/09/2024

CVE-2024-45411

Sandbox `__toString()` policy bypass via dynamic mapping keys

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Versions patchées :
https://symfony.com/blog/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys

Signalée 27/05/2026

CVE-2026-48806

`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name

Versions affectées : >=3.9.0,<3.26.0
Versions patchées :
https://symfony.com/cve-2026-46634

Signalée 20/05/2026

CVE-2026-46634

low Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1
Versions patchées : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled

Signalée 06/11/2024

CVE-2024-51755

`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Versions patchées :
https://symfony.com/cve-2026-46638

Signalée 20/05/2026

CVE-2026-46638

Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Versions patchées :
https://symfony.com/cve-2026-47732

Signalée 20/05/2026

CVE-2026-47732

Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Versions patchées :
https://symfony.com/blog/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface

Signalée 27/05/2026

CVE-2026-48808

Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Versions patchées :
https://symfony.com/blog/cve-2026-48805-sandbox-state-regression-in-deprecated-internal-wrappers-in-src-resources-core-php

Signalée 27/05/2026

CVE-2026-48805

Possible sandbox bypass when using a source policy

Versions affectées : >=2.16.0,<3.0.0|>=3.9.0,<3.26.0
Versions patchées :
https://symfony.com/cve-2026-24425

Signalée 20/05/2026

CVE-2026-24425

PHP code injection via `{% use %}` template name

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Versions patchées :
https://symfony.com/cve-2026-46633

Signalée 20/05/2026

CVE-2026-46633

Sandbox does not protect against resource exhaustion

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Versions patchées :
https://symfony.com/cve-2026-46627

Signalée 20/05/2026

CVE-2026-46627

Sandbox property allowlist bypass via the `column` filter (array_column on objects)

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Versions patchées :
https://symfony.com/cve-2026-46635

Signalée 20/05/2026

CVE-2026-46635

The `spaceless` filter implicitly marks its output as safe

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0
Versions patchées :
https://symfony.com/cve-2026-46628

Signalée 20/05/2026

CVE-2026-46628

XSS in profiler HtmlDumper via unescaped template and profile names

Versions affectées : >=3.0.0,<3.26.0
Versions patchées :
https://symfony.com/cve-2026-47730

Signalée 20/05/2026

CVE-2026-47730

Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Versions patchées :
https://symfony.com/blog/cve-2026-48807-sandbox-tostring-policy-bypass-via-traversable-in-join-replace-and-in-not-in-operators

Signalée 27/05/2026

CVE-2026-48807

Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0
Versions patchées :
https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders

Signalée 27/05/2026

CVE-2026-46636

low Unguarded calls to __toString() when nesting an object into an array

Signalée 06/11/2024

CVE-2024-51754

2 symfony/http-foundation —— v5.4.40 +

high CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass

Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7
Versions patchées : 5.4.50 6.4.29 7.3.7 5.4.50 6.4.29 7.3.7
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass

Signalée 12/11/2025

CVE-2025-64500

low CVE-2024-50345: Open redirect via browser-sanitized URLs

Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50345

Signalée 05/11/2024

CVE-2024-50345

2 symfony/process —— v5.4.40 +

high CVE-2024-51736: Command execution hijack on Windows with Process class

Signalée 05/11/2024

CVE-2024-51736

medium Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows

Versions affectées : >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51
Versions patchées : 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5
https://github.com/advisories/GHSA-r39x-jcww-82v6

Signalée 28/01/2026

CVE-2026-24739

1 symfony/runtime —— v5.4.40 +

medium CVE-2024-50340: Ability to change environment from query

Versions affectées : >=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50340

Signalée 05/11/2024

CVE-2024-50340

2 symfony/http-client —— v5.4.40 +

CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient

Versions affectées : >=5.4.0,<5.4.53
Versions patchées :
https://symfony.com/cve-2026-48736

Signalée 26/05/2026

CVE-2026-48736

low CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

Versions affectées : >=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50342

Signalée 05/11/2024

CVE-2024-50342

1 symfony/validator —— v5.4.40 +

low CVE-2024-50343: Incorrect response from Validator when input ends with ` `

Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4
Versions patchées : 5.4.43 6.4.11 7.1.4 5.4.43 6.4.11 7.1.4
https://symfony.com/cve-2024-50343

Signalée 30/08/2024

CVE-2024-50343

3 symfony/security-http —— v5.4.40 +

high CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

Versions affectées : >=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8
Versions patchées : 5.4.47 6.4.15 7.1.8
https://symfony.com/cve-2024-51996

Signalée 13/11/2024

CVE-2024-51996

CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes

Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.53|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13
Versions patchées :
https://symfony.com/cve-2026-48489

Signalée 26/05/2026

CVE-2026-48489

CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator

Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12
Versions patchées :
https://symfony.com/cve-2026-45063

Signalée 20/05/2026

CVE-2026-45063

2 ibexa/http-cache —— v4.6.7 +

high BREACH vulnerability in varnish VCL and vhost templates

Signalée 28/11/2024

IBEXA-SA-2024-006

medium ibexa/http-cache affected by Breach with Varnish VCL

Versions affectées : >=4.6.0,<4.6.14
Versions patchées : 4.6.14
https://github.com/advisories/GHSA-fh7v-q458-7vmw

Signalée 02/12/2024

2 ibexa/post-install —— v4.6.7 +

high BREACH vulnerability in varnish VCL and vhost templates

Signalée 28/11/2024

IBEXA-SA-2024-006

medium ibexa/post-install affected by Breach with Varnish VCL

Versions affectées : >=4.6.0,<4.6.14|>=1.0.0,<1.0.16
Versions patchées : 1.0.16 4.6.14
https://github.com/advisories/GHSA-4h8f-c635-25p7

Signalée 02/12/2024

2 ibexa/admin-ui-assets —— v4.6.7 +

high XSS vulnerabilities in back office

Versions affectées : v4.6.0,v4.6.20
Versions patchées : v4.6.21
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-003-xss-vulnerabilities-in-back-office

Signalée 11/06/2025

IBEXA-SA-2025-003

medium Ibexa Admin UI assets XSS vulnerabilities in back office

Versions affectées : >=4.6.0-alpha1,<4.6.21
Versions patchées : 4.6.21
https://github.com/advisories/GHSA-vhgq-r8gx-5fpv

Signalée 13/06/2025

3 webonyx/graphql-php —— v14.11.10 +

high webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments

Versions affectées : <15.32.2
Versions patchées : 15.32.2
https://github.com/advisories/GHSA-fc86-6rv6-2jpm

Signalée 04/05/2026

high webonyx/graphql-php has unbounded recursion in parser that causes stack overflow on crafted nested input

Versions affectées : <=15.32.2
Versions patchées : 15.32.3
https://github.com/advisories/GHSA-r7cg-qjjm-xhqq

Signalée 05/05/2026

medium graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation

Versions affectées : <=15.31.4
Versions patchées : 15.31.5
https://github.com/advisories/GHSA-68jq-c3rv-pcrr

Signalée 14/04/2026

1 twig/intl-extra —— v3.10.0 +

Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments

Versions affectées : >=2.12.0,<3.0.0|>=3.0.0,<3.26.0
Versions patchées :
https://symfony.com/cve-2026-46629

Signalée 20/05/2026

CVE-2026-46629

1 symfony/cache —— v5.4.40 +

CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix

Signalée 20/05/2026

CVE-2026-45073

2 symfony/mime —— v5.4.40 +

CVE-2026-45067: Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address

Signalée 20/05/2026

CVE-2026-45067

CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names

Signalée 20/05/2026

CVE-2026-45070

1 symfony/monolog-bridge —— v5.4.40 +

CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener

Signalée 20/05/2026

CVE-2026-45077

2 symfony/routing —— v5.4.40 +

CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization

Signalée 26/05/2026

CVE-2026-48784

CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection

Signalée 20/05/2026

CVE-2026-45065

3 symfony/yaml —— v5.4.40 +

CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings

Signalée 20/05/2026

CVE-2026-45133

CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex

Signalée 20/05/2026

CVE-2026-45305

CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")

Signalée 20/05/2026

CVE-2026-45304

1 symfony/polyfill-intl-idn —— v1.30.0 +

CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence

Versions affectées : >=1.17.1,<1.38.1
Versions patchées :
https://symfony.com/cve-2026-46644

Signalée 26/05/2026

CVE-2026-46644

3 guzzlehttp/psr7 —— 1.9.1 +

medium CRLF injection in HTTP start-line serialization

Versions affectées : <2.12.1
Versions patchées : 2.12.1
https://github.com/guzzle/psr7/security/advisories/GHSA-vm85-hxw5-5432

Signalée 18/06/2026

CVE-2026-55766

medium guzzlehttp/psr7 has CRLF Injection via URI Host Component

Versions affectées : <2.10.2
Versions patchées : 2.10.2
https://github.com/advisories/GHSA-hq7v-mx3g-29hw

Signalée 11/06/2026

CVE-2026-49214

medium guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation

Versions affectées : <2.10.2
Versions patchées : 2.10.2
https://github.com/advisories/GHSA-34xg-wgjx-8xph

Signalée 11/06/2026

CVE-2026-48998

2 guzzlehttp/guzzle —— 6.5.8 +

medium Dot-only cookie domains match all hosts

Versions affectées : <7.12.1
Versions patchées : 7.12.1
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwxw-98qj-8qjx

Signalée 18/06/2026

CVE-2026-55767

medium Silent HTTPS proxy downgrade to cleartext

Versions affectées : <7.12.1
Versions patchées : 7.12.1
https://github.com/guzzle/guzzle/security/advisories/GHSA-wpwq-4j6v-78m3

Signalée 18/06/2026

CVE-2026-55568

Php

31 PHP —— 8.3.8 +

critical In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

* [https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv](https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv)

Signalée 24/11/2024

CVE-2024-11236

critical In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

* [https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff](https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff)
* [https://security.netapp.com/advisory/ntap-20250523-0005/](https://security.netapp.com/advisory/ntap-20250523-0005/)

Signalée 30/03/2025

CVE-2025-1861

critical In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

* [https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5](https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5)

Signalée 10/05/2026

CVE-2026-6722

high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.

* [https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43](https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43)

Signalée 24/11/2024

CVE-2024-11233

high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

* [https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2](https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2)

Signalée 24/11/2024

CVE-2024-11234

high In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Versions affectées : 8.3.0|8.3.18,8.4.0|8.4.5
Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477](https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477)
* [https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477](https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477)

Signalée 04/04/2025

CVE-2024-11235

high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

* [https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq](https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq)

Signalée 08/10/2024

CVE-2024-8926

high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

* [https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp](https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp)

Signalée 08/10/2024

CVE-2024-8927

high In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7](https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7)

Signalée 27/12/2025

CVE-2025-14177

high In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2](https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2)

Signalée 27/12/2025

CVE-2025-14178

high In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

* [https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm](https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm)

Signalée 10/05/2026

CVE-2025-14179

high In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj](https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj)

Signalée 27/12/2025

CVE-2025-14180

high In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.

* [https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3](https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3)

Signalée 13/07/2025

CVE-2025-1735

high In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

* [https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528](https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528)
* [https://security.netapp.com/advisory/ntap-20250523-0006/](https://security.netapp.com/advisory/ntap-20250523-0006/)

Signalée 30/03/2025

CVE-2025-1736

high In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

* [https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv](https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv)

Signalée 10/05/2026

CVE-2026-6735

medium The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.

* [http://osvdb.org/39834](http://osvdb.org/39834)
* [http://securityreason.com/securityalert/2800](http://securityreason.com/securityalert/2800)
* [http://www.acid-root.new.fr/advisories/14070612.txt](http://www.acid-root.new.fr/advisories/14070612.txt)
* [http://www.securityfocus.com/archive/1/471178/100/0/threaded](http://www.securityfocus.com/archive/1/471178/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471204/100/0/threaded](http://www.securityfocus.com/archive/1/471204/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471275/100/0/threaded](http://www.securityfocus.com/archive/1/471275/100/0/threaded)
* [https://exchange.xforce.ibmcloud.com/vulnerabilities/34836](https://exchange.xforce.ibmcloud.com/vulnerabilities/34836)

Signalée 13/06/2007

CVE-2007-3205

medium In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

* [https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32](https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32)

Signalée 08/10/2024

CVE-2024-8925

medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

Versions affectées : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4
Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)

Signalée 30/03/2025

CVE-2025-1219

medium In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.

* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)
* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)

Signalée 13/07/2025

CVE-2025-1220

medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

* [https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44](https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44)
* [https://security.netapp.com/advisory/ntap-20250523-0009/](https://security.netapp.com/advisory/ntap-20250523-0009/)

Signalée 30/03/2025

CVE-2025-1734

medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.

* [https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4](https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4)

Signalée 10/05/2026

CVE-2026-7258

medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.

* [https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q](https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q)

Signalée 10/05/2026

CVE-2026-7261

medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.

* [https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57](https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57)

Signalée 10/05/2026

CVE-2026-7568

low In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

* [https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5](https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5)

Signalée 08/10/2024

CVE-2024-9026

low In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.

Versions affectées : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4
Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)

Signalée 29/03/2025

CVE-2025-1217

low In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().

* [https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75](https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75)

Signalée 10/05/2026

CVE-2026-7259

low In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

* [https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv](https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv)

Signalée 10/05/2026

CVE-2026-7262

unassigned A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)

Signalée 10/04/2024

CVE-2024-3566

unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.

* [https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678](https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678)
* [https://security.netapp.com/advisory/ntap-20250110-0008/](https://security.netapp.com/advisory/ntap-20250110-0008/)

Signalée 22/11/2024

CVE-2024-8929

unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

* [https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff](https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff)
* [https://security.netapp.com/advisory/ntap-20250110-0009/](https://security.netapp.com/advisory/ntap-20250110-0009/)

Signalée 22/11/2024

CVE-2024-8932

unassigned In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)
* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)

Signalée 13/07/2025

CVE-2025-6491

6 paquets abandonnés ont été trouvés

Paquet abandonné	Remplacement suggéré
sensio/framework-extra-bundle	Symfony
php-http/message-factory	psr/http-factory
platformsh/symfonyflex-bridge	Aucun
swiftmailer/swiftmailer	symfony/mailer
symfony/swiftmailer-bundle	symfony/mailer
php-http/guzzle6-adapter	guzzlehttp/guzzle or php-http/guzzle7-adapter

Résumé Mise à jour possible

Votre version est Ibexa 4.6

Votre version est Symfony 5.4

Votre version est Php 7.4

Badge

[![Vulnerabilities](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=vulnerabilities)](https://audit.security.code-rhapsodie.fr/fr/project/018fdea7-1ba2-7bdf-abab-51452e155926)

[![Vulnerabilities](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=vulnerabilities&version=little)](https://audit.security.code-rhapsodie.fr/fr/project/018fdea7-1ba2-7bdf-abab-51452e155926)

[![Abandonned](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=abandonned)](https://audit.security.code-rhapsodie.fr/fr/project/018fdea7-1ba2-7bdf-abab-51452e155926)

[![Abandonned](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=abandonned&version=little)](https://audit.security.code-rhapsodie.fr/fr/project/018fdea7-1ba2-7bdf-abab-51452e155926)