CVE-2025-49578: Components Citizencomponentpageheading Php Cwe 000 Cve 2025 49578

Stored XSS due to implicit string conversion of Message objects containing user dates. Ensure messages are escaped using `->escaped()` or `htmlspecialchars()`.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0

PHP^β

greprules fetch cve-2025-49578-components-citizencomponentpageheading-php-cwe-000-cve-2025-49578 --engine opengrep

Description

Stored XSS due to implicit string conversion of Message objects containing user dates. Ensure messages are escaped using `->escaped()` or `htmlspecialchars()`.

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Quality signals: 145 downloads
0 direct145 via packs
· 0 stars · Quality score 70How quality works
Included packs: 2 packs

Community feedback

0 signals from signed-in users.

Useful: 0
False positive: 0
Metadata: 0