Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/silverstripe/framework@4.0.3-rc1
purl pkg:composer/silverstripe/framework@4.0.3-rc1
Tags Ghost
Next non-vulnerable version 5.3.23
Latest non-vulnerable version 6.0.0-alpha1
Risk 4.0
Vulnerabilities affecting this package (3)
Vulnerability Summary Fixed by
VCID-b9th-m3ys-7bat
Aliases:
GHSA-vgxh-x8jv-hmff
silverstripe/framework code execution vulnerability There is a vulnerability whereby arbitrary global functions may be executed if malicious user input is passed through to in the second argument of `ViewableData::renderWith`. This argument resolves associative arrays as template placeholders. This exploit requires that user code has been written which makes use of the second argument in `renderWith` and where user input is passed directly as a value in an associative array without sanitisation such as `Convert::raw2xml()`. `ViewableData::customise` is not vulnerable.
4.0.4
Affected by 40 other vulnerabilities.
4.1.1
Affected by 41 other vulnerabilities.
VCID-dgke-xzhn-dkg5
Aliases:
GHSA-vcg6-8fxc-x5cq
silverstripe/framework allows upload of dangerous file types Some potentially dangerous file types exist in File.allowed_extensions which could allow a malicious CMS user to upload files that then get executed in the security context of the website. We have removed the ability to upload .css, .js, .potm, .dotm, .xltm and .jar files in the default configuration. Since allowed_extensions are synced to webserver configuration (in assets/.htaccess) automatically, this will also deny access to any existing uploads with these extensions. Review our security guidelines for the Common Web Platform and the File Security guide for SilverStripe 4 to find out how to add or remove extensions.
4.0.4
Affected by 40 other vulnerabilities.
4.1.1
Affected by 41 other vulnerabilities.
VCID-pffp-vtk7-pqby
Aliases:
GHSA-vh7q-j8p5-2h4h
silverstripe/framework sends passwords back to browsers under some circumstances Under some circumstances a form may populate a PasswordField with submitted data, reflecting submitted data back to a user. The user will only see their own submissions for password data, which is not considered best practice. We are not aware of data leaks to other users, devices or sessions.
4.0.4
Affected by 40 other vulnerabilities.
4.1.1
Affected by 41 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-02T12:39:21.956018+00:00 GitLab Importer Affected by VCID-b9th-m3ys-7bat https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-vgxh-x8jv-hmff.yml 38.0.0
2026-04-02T12:39:21.669336+00:00 GitLab Importer Affected by VCID-pffp-vtk7-pqby https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-vh7q-j8p5-2h4h.yml 38.0.0
2026-04-02T12:39:21.487307+00:00 GitLab Importer Affected by VCID-dgke-xzhn-dkg5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-vcg6-8fxc-x5cq.yml 38.0.0
2026-04-01T16:05:31.840186+00:00 GHSA Importer Affected by VCID-dgke-xzhn-dkg5 https://github.com/advisories/GHSA-vcg6-8fxc-x5cq 38.0.0
2026-04-01T16:05:31.710464+00:00 GHSA Importer Affected by VCID-pffp-vtk7-pqby https://github.com/advisories/GHSA-vh7q-j8p5-2h4h 38.0.0
2026-04-01T16:05:31.631442+00:00 GHSA Importer Affected by VCID-b9th-m3ys-7bat https://github.com/advisories/GHSA-vgxh-x8jv-hmff 38.0.0