VYPR
Vendor

Flightphp

Products
2
CVEs
12
Across products
13
Status
Private

Products

2

Recent CVEs

12
  • CVE-2026-42550HigMay 13, 2026
    risk 0.50cvss 8.8epss 0.00

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and…

  • CVE-2026-42548HigMay 13, 2026
    risk 0.49cvss epss 0.00

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary…

  • CVE-2026-42552HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating.…

  • CVE-2026-42551HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of…

  • CVE-2025-20623MedMay 13, 2025
    risk 0.36cvss 5.6epss 0.00

    Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Core™ processors (10th Generation) may allow an authenticated user to potentially enable information disclosure via local access.

  • CVE-2026-42549MedMay 13, 2026
    risk 0.22cvss 4.4epss 0.00

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by…

  • CVE-2009-4961Jul 28, 2010
    risk 0.03cvss epss 0.02

    Lanai Core 0.6 allows remote attackers to obtain configuration information via a direct request to info.php, which calls the phpinfo function.

  • CVE-2024-58341Mar 25, 2026
    risk 0.00cvss epss 0.00

    OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values…

  • CVE-2025-54604Oct 28, 2025
    risk 0.00cvss epss 0.00

    Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 1 of 2).

  • CVE-2014-125127Sep 3, 2025
    risk 0.00cvss epss 0.00

    The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of…

  • CVE-2025-56577Aug 29, 2025
    risk 0.00cvss epss 0.00

    An issue in Evope Core v.1.1.3.20 allows a local attacker to obtain sensitive information via the use of hard coded cryptographic keys.

  • CVE-2024-40124Apr 17, 2025
    risk 0.00cvss epss 0.00

    Pydio Core <= 8.2.5 is vulnerable to Cross Site Scripting (XSS) via the New URL Bookmark feature.