| CVE |
Severity |
CVSS |
Risk |
Published |
Description |
Impact |
| CVE-2026-42550 |
high |
8.8 |
8.8 |
21d ago |
Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete |
|
| CVE-2026-42548 |
high |
— |
8.0 |
21d ago |
Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() |
|
| CVE-2026-42552 |
high |
7.5 |
7.5 |
21d ago |
Flight vulnerable to sensitive information disclosure via default error handler |
|
| CVE-2026-42551 |
high |
7.5 |
7.5 |
21d ago |
Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass |
|
| CVE-2026-42549 |
medium |
4.4 |
4.4 |
21d ago |
Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root |
|