Package impact
COMPOSER / flightphp/core
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-42550 | high | 8.8 | 8.8 | 22d ago | Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete | |
| CVE-2026-42548 | high | — | 8.0 | 22d ago | Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() | |
| CVE-2026-42552 | high | 7.5 | 7.5 | 22d ago | Flight vulnerable to sensitive information disclosure via default error handler | |
| CVE-2026-42551 | high | 7.5 | 7.5 | 22d ago | Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass | |
| CVE-2026-42549 | medium | 4.4 | 4.4 | 22d ago | Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root |