Core
by Flightphp
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42550 | Hig | 0.50 | 8.8 | 0.00 | May 13, 2026 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and… | ||
| CVE-2026-42548 | Hig | 0.49 | — | 0.00 | May 13, 2026 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary… | ||
| CVE-2026-42552 | Hig | 0.42 | 7.5 | 0.00 | May 13, 2026 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating.… | ||
| CVE-2026-42551 | Hig | 0.42 | 7.5 | 0.00 | May 13, 2026 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of… | ||
| CVE-2025-20623 | Med | 0.36 | 5.6 | 0.00 | May 13, 2025 | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Core™ processors (10th Generation) may allow an authenticated user to potentially enable information disclosure via local access. | ||
| CVE-2026-42549 | Med | 0.22 | 4.4 | 0.00 | May 13, 2026 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by… | ||
| CVE-2009-4961 | 0.03 | — | 0.02 | Jul 28, 2010 | Lanai Core 0.6 allows remote attackers to obtain configuration information via a direct request to info.php, which calls the phpinfo function. | |||
| CVE-2024-58341 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values… | |||
| CVE-2025-54604 | 0.00 | — | 0.00 | Oct 28, 2025 | Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 1 of 2). | |||
| CVE-2014-125127 | 0.00 | — | 0.00 | Sep 3, 2025 | The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of… | |||
| CVE-2025-56577 | 0.00 | — | 0.00 | Aug 29, 2025 | An issue in Evope Core v.1.1.3.20 allows a local attacker to obtain sensitive information via the use of hard coded cryptographic keys. | |||
| CVE-2024-40124 | 0.00 | — | 0.00 | Apr 17, 2025 | Pydio Core <= 8.2.5 is vulnerable to Cross Site Scripting (XSS) via the New URL Bookmark feature. |
- risk 0.50cvss 8.8epss 0.00
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and…
- risk 0.49cvss —epss 0.00
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary…
- risk 0.42cvss 7.5epss 0.00
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating.…
- risk 0.42cvss 7.5epss 0.00
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of…
- risk 0.36cvss 5.6epss 0.00
Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Core™ processors (10th Generation) may allow an authenticated user to potentially enable information disclosure via local access.
- risk 0.22cvss 4.4epss 0.00
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by…
- CVE-2009-4961Jul 28, 2010risk 0.03cvss —epss 0.02
Lanai Core 0.6 allows remote attackers to obtain configuration information via a direct request to info.php, which calls the phpinfo function.
- CVE-2024-58341Mar 25, 2026risk 0.00cvss —epss 0.00
OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values…
- CVE-2025-54604Oct 28, 2025risk 0.00cvss —epss 0.00
Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 1 of 2).
- CVE-2014-125127Sep 3, 2025risk 0.00cvss —epss 0.00
The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of…
- CVE-2025-56577Aug 29, 2025risk 0.00cvss —epss 0.00
An issue in Evope Core v.1.1.3.20 allows a local attacker to obtain sensitive information via the use of hard coded cryptographic keys.
- CVE-2024-40124Apr 17, 2025risk 0.00cvss —epss 0.00
Pydio Core <= 8.2.5 is vulnerable to Cross Site Scripting (XSS) via the New URL Bookmark feature.