vulnerabilities in composer dependencies

ugh, composer.

There are 34 composer security advisories affecting our repositories.

swiftmailer/swiftmailer (CVE-2024-28859)

Deserialization Gadget chain in Swift Mailer
details

Affected repositories (1)

mediawiki/extensions/SwiftMailer

twig/twig (CVE-2024-51754)

Unguarded calls to __toString() when nesting an object into an array
details

Affected repositories (1)

wikimedia/slimapp

twig/twig (CVE-2024-51755)

Unguarded calls to __isset() and to array-accesses when the sandbox is enabled
details

Affected repositories (1)

wikimedia/slimapp

twig/twig (CVE-2026-46627)

Sandbox does not protect against resource exhaustion
details

Affected repositories (3)

twig/twig (CVE-2026-46628)

The `spaceless` filter implicitly marks its output as safe
details

Affected repositories (3)

twig/twig (CVE-2026-46633)

PHP code injection via `{% use %}` template name
details

Affected repositories (3)

twig/twig (CVE-2026-46635)

Sandbox property allowlist bypass via the `column` filter (array_column on objects)
details

Affected repositories (3)

twig/twig (CVE-2026-46636)

Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders
details

Affected repositories (3)

twig/twig (CVE-2026-46638)

`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
details

Affected repositories (3)

twig/twig (CVE-2026-47732)

Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
details

Affected repositories (3)

twig/twig (CVE-2026-48805)

Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
details

Affected repositories (3)

twig/twig (CVE-2026-48806)

Sandbox `__toString()` policy bypass via dynamic mapping keys
details

Affected repositories (3)

twig/twig (CVE-2026-48807)

Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators
details

Affected repositories (3)

twig/twig (CVE-2026-48808)

Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
details

Affected repositories (3)

symfony/cache (CVE-2026-45073)

CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
details

Affected repositories (2)

symfony/dom-crawler (CVE-2026-45071)

CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
details

Affected repositories (1)

labs/xtools

symfony/http-foundation (CVE-2026-48736)

CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
details

Affected repositories (1)

labs/xtools

symfony/mailer (CVE-2026-45068)

CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
details

Affected repositories (1)

labs/xtools

symfony/mime (CVE-2026-45067)

CVE-2026-45067: Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
details

Affected repositories (1)

labs/xtools

symfony/mime (CVE-2026-45070)

CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names
details

Affected repositories (1)

labs/xtools

symfony/monolog-bridge (CVE-2026-45077)

CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
details

Affected repositories (1)

labs/xtools

symfony/polyfill-intl-idn (CVE-2026-46644)

CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence
details

Affected repositories (1)

labs/xtools

symfony/routing (CVE-2026-45065)

CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
details

Affected repositories (1)

labs/xtools

symfony/routing (CVE-2026-48784)

CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
details

Affected repositories (1)

labs/xtools

symfony/runtime (CVE-2026-46626)

CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
details

Affected repositories (1)

labs/xtools

symfony/twig-bridge (CVE-2026-45072)

CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering
details

Affected repositories (1)

labs/xtools

symfony/yaml (CVE-2026-45133)

CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings
details

Affected repositories (1)

labs/xtools

symfony/yaml (CVE-2026-45304)

CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
details

Affected repositories (1)

labs/xtools

symfony/yaml (CVE-2026-45305)

CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
details

Affected repositories (1)

labs/xtools

twig/twig (CVE-2026-24425)

Possible sandbox bypass when using a source policy
details

Affected repositories (2)

twig/twig (CVE-2026-46634)

`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
details

Affected repositories (2)

twig/twig (CVE-2026-46639)

Sandbox property and method bypass via object-destructuring assignment
details

Affected repositories (1)

labs/xtools

twig/twig (CVE-2026-46640)

Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
details

Affected repositories (1)

labs/xtools

twig/twig (CVE-2026-47730)

XSS in profiler HtmlDumper via unescaped template and profile names
details

Affected repositories (2)

Source code is licensed under the AGPL.