{"source":"ghsa-composer","note":"Free 5-item preview. The full feed is $0.05/call at GET /v1/ghsa-composer/changes.","question":"Which new GitHub security advisories affecting Composer/PHP packages were published since T, and how severe are they?","sample":[{"source":"ghsa-composer","entityId":"ghsa:GHSA-f5gc-qxf8-mh9g","type":"advisory","title":"GHSA-f5gc-qxf8-mh9g / CVE-2026-49260: php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85…","summary":"HIGH severity. Affected: pontedilana/php-weasyprint.","significance":8,"detectedAt":"2026-07-14T22:21:19.559Z","effectiveDate":"2026-06-26T21:46:27Z","sourceUrl":"https://github.com/advisories/GHSA-f5gc-qxf8-mh9g","detail":{"severity":"high","cve":"CVE-2026-49260","packages":"pontedilana/php-weasyprint","cvss":8.2}},{"source":"ghsa-composer","entityId":"ghsa:GHSA-mmj8-wcvw-6789","type":"advisory","title":"GHSA-mmj8-wcvw-6789 / CVE-2026-49262: Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy","summary":"LOW severity. Affected: aimeos/pagible.","significance":3,"detectedAt":"2026-07-14T22:21:19.559Z","effectiveDate":"2026-06-26T21:50:10Z","sourceUrl":"https://github.com/advisories/GHSA-mmj8-wcvw-6789","detail":{"severity":"low","cve":"CVE-2026-49262","packages":"aimeos/pagible","cvss":3}},{"source":"ghsa-composer","entityId":"ghsa:GHSA-2fmj-p74r-3wjm","type":"advisory","title":"GHSA-2fmj-p74r-3wjm / CVE-2026-49286: PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)","summary":"HIGH severity. Affected: pontedilana/php-weasyprint.","significance":8,"detectedAt":"2026-07-14T22:21:19.559Z","effectiveDate":"2026-06-26T22:10:00Z","sourceUrl":"https://github.com/advisories/GHSA-2fmj-p74r-3wjm","detail":{"severity":"high","cve":"CVE-2026-49286","packages":"pontedilana/php-weasyprint","cvss":8.1}},{"source":"ghsa-composer","entityId":"ghsa:GHSA-5g9f-cwwg-4p8g","type":"advisory","title":"GHSA-5g9f-cwwg-4p8g / CVE-2026-49358: PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles","summary":"LOW severity. Affected: pontedilana/php-weasyprint.","significance":3,"detectedAt":"2026-07-14T22:21:19.559Z","effectiveDate":"2026-06-26T22:10:51Z","sourceUrl":"https://github.com/advisories/GHSA-5g9f-cwwg-4p8g","detail":{"severity":"low","cve":"CVE-2026-49358","packages":"pontedilana/php-weasyprint","cvss":3}},{"source":"ghsa-composer","entityId":"ghsa:GHSA-x8g9-h984-pc36","type":"advisory","title":"GHSA-x8g9-h984-pc36 / CVE-2026-49359: PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option","summary":"MEDIUM severity. Affected: pontedilana/php-weasyprint.","significance":7,"detectedAt":"2026-07-14T22:21:19.559Z","effectiveDate":"2026-06-26T22:11:40Z","sourceUrl":"https://github.com/advisories/GHSA-x8g9-h984-pc36","detail":{"severity":"medium","cve":"CVE-2026-49359","packages":"pontedilana/php-weasyprint","cvss":6.5}}]}