VYPR

Packagist (Composer) package

flightphp/core

pkg:composer/flightphp/core

Vulnerabilities (5)

  • CVE-2026-42552HigMay 13, 2026
    affected < 3.18.1fixed 3.18.1

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Product

  • CVE-2026-42551HigMay 13, 2026
    affected < 3.18.1fixed 3.18.1

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted

  • CVE-2026-42550HigMay 13, 2026
    affected < 3.18.1fixed 3.18.1

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no

  • CVE-2026-42549MedMay 13, 2026
    affected < 3.18.1fixed 3.18.1

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Net

  • CVE-2026-42548HigMay 13, 2026
    affected < 3.18.1fixed 3.18.1

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary Ja