Search

Find a vulnerability

Search criteria

    91 vulnerabilities by symfony

    CVE-2026-55878 (GCVE-0-2026-55878)

    Vulnerability from nvd – Published: 2026-07-08 21:30 – Updated: 2026-07-09 14:19
    VLAI
    Title
    Symfony: Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Crafted Recipe Manifest
    Summary
    Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative() accepts paths like ../../../etc, a crafted or compromised kit can write attacker-controlled content to arbitrary locations or read local files outside the recipe directory. This issue is fixed in versions 2.36.1 and 3.2.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    symfony ux Affected: >= 2.32.0, < 2.36.1
    Affected: >= 3.0.0, < 3.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55878",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:18:56.012444Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:19:07.068Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ux",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.32.0, \u003c 2.36.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative() accepts paths like ../../../etc, a crafted or compromised kit can write attacker-controlled content to arbitrary locations or read local files outside the recipe directory. This issue is fixed in versions 2.36.1 and 3.2.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T21:30:33.816Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/ux/security/advisories/GHSA-p9xj-fpr2-jf2q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/ux/security/advisories/GHSA-p9xj-fpr2-jf2q"
            },
            {
              "name": "https://github.com/symfony/ux/commit/7b4ddf3764bf269a1b5fde5bf03c4bce568694e4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/commit/7b4ddf3764bf269a1b5fde5bf03c4bce568694e4"
            },
            {
              "name": "https://github.com/symfony/ux/releases/tag/v2.36.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/releases/tag/v2.36.1"
            },
            {
              "name": "https://github.com/symfony/ux/releases/tag/v3.2.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/releases/tag/v3.2.0"
            }
          ],
          "source": {
            "advisory": "GHSA-p9xj-fpr2-jf2q",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Crafted Recipe Manifest"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55878",
        "datePublished": "2026-07-08T21:30:33.816Z",
        "dateReserved": "2026-06-17T16:59:42.759Z",
        "dateUpdated": "2026-07-09T14:19:07.068Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55877 (GCVE-0-2026-55877)

    Vulnerability from nvd – Published: 2026-07-08 21:32 – Updated: 2026-07-09 14:40
    VLAI
    Title
    Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses
    Summary
    Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux_icon() Twig function is marked is_safe=['html'] and Icon::toHtml() inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested script elements, on* event handlers, or dangerous URL schemes to execute cross-site scripting. This issue is fixed in versions 2.36.1 and 3.2.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    symfony ux Affected: >= 2.17.0, < 2.36.1
    Affected: >= 3.0.0, < 3.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55877",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:21:00.657899Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:40:25.026Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ux",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.17.0, \u003c 2.36.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux_icon() Twig function is marked is_safe=[\u0027html\u0027] and Icon::toHtml() inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested script elements, on* event handlers, or dangerous URL schemes to execute cross-site scripting. This issue is fixed in versions 2.36.1 and 3.2.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T21:32:37.407Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/ux/security/advisories/GHSA-6v8j-33hc-mv84",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/ux/security/advisories/GHSA-6v8j-33hc-mv84"
            },
            {
              "name": "https://github.com/symfony/ux/commit/3a4964ec3700f0af4e13f7bfbf8bb3174c3e79d1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/commit/3a4964ec3700f0af4e13f7bfbf8bb3174c3e79d1"
            },
            {
              "name": "https://github.com/symfony/ux/releases/tag/v2.36.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/releases/tag/v2.36.1"
            },
            {
              "name": "https://github.com/symfony/ux/releases/tag/v3.2.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/releases/tag/v3.2.0"
            }
          ],
          "source": {
            "advisory": "GHSA-6v8j-33hc-mv84",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55877",
        "datePublished": "2026-07-08T21:32:37.407Z",
        "dateReserved": "2026-06-17T16:59:42.759Z",
        "dateUpdated": "2026-07-09T14:40:25.026Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24425 (GCVE-0-2026-24425)

    Vulnerability from nvd – Published: 2026-05-20 13:45 – Updated: 2026-05-20 15:44 X_Open Source
    VLAI
    Title
    Twig 2.16.x & 3.9.0-3.25.x Sandbox Bypass via SourcePolicyInterface
    Summary
    Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-693 - Protection Mechanism Failure
    Assigner
    Impacted products
    Vendor Product Version
    twigphp Twig Affected: 3.9.0 , < 3.26.0 (semver)
    Affected: 2.16.* (custom)
    Create a notification for this product.
    Date Public
    2026-05-20 00:00
    Credits
    Nicolò Ribaudo Fabien Potencier VulnCheck
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24425",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-20T15:43:54.656189Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-20T15:44:33.359Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Twig",
              "repo": "https://github.com/twigphp/Twig",
              "vendor": "twigphp",
              "versions": [
                {
                  "lessThan": "3.26.0",
                  "status": "affected",
                  "version": "3.9.0",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "2.16.*",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nicol\u00f2 Ribaudo"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Fabien Potencier"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulnCheck"
            }
          ],
          "datePublic": "2026-05-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eTwig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.\u003c/p\u003e"
                }
              ],
              "value": "Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-693",
                  "description": "CWE-693 Protection Mechanism Failure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-20T13:45:43.338Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/twigphp/Twig/security/advisories/GHSA-2q52-x2ff-qgfr"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/twig-x-x-sandbox-bypass-via-sourcepolicyinterface"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "Twig 2.16.x \u0026 3.9.0-3.25.x Sandbox Bypass via SourcePolicyInterface",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-24425",
        "datePublished": "2026-05-20T13:45:02.413Z",
        "dateReserved": "2026-01-22T20:23:19.801Z",
        "dateUpdated": "2026-05-20T15:44:33.359Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24739 (GCVE-0-2026-24739)

    Vulnerability from nvd – Published: 2026-01-28 20:25 – Updated: 2026-01-29 18:01
    VLAI
    Title
    Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.51
    Affected: >= 6.4.0, < 6.4.33
    Affected: >= 7.3.0, < 7.3.11
    Affected: >= 7.4.0, < 7.4.5
    Affected: >= 8.0.0 , < 8.0.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24739",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-29T16:03:49.659737Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-29T18:01:36.510Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.51"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.4.0, \u003c 6.4.33"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.3.0, \u003c 7.3.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.4.0, \u003c 7.4.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0 , \u003c 8.0.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as \u201cspecial\u201d when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2\u2019s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one\u0027s own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-88",
                  "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-28T20:25:21.500Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6"
            },
            {
              "name": "https://github.com/symfony/symfony/issues/62921",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/issues/62921"
            },
            {
              "name": "https://github.com/symfony/symfony/pull/63164",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/pull/63164"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b"
            }
          ],
          "source": {
            "advisory": "GHSA-r39x-jcww-82v6",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-24739",
        "datePublished": "2026-01-28T20:25:21.500Z",
        "dateReserved": "2026-01-26T19:06:16.059Z",
        "dateUpdated": "2026-01-29T18:01:36.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64500 (GCVE-0-2025-64500)

    Vulnerability from nvd – Published: 2025-11-12 21:40 – Updated: 2025-11-13 16:50
    VLAI
    Title
    Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 2.0.0, < 5.4.50
    Affected: >= 6.0.0, < 6.4.29
    Affected: >= 7.0.0, < 7.3.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64500",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-13T16:50:43.104313Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-13T16:50:55.341Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 5.4.50"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.29"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.3.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony\u0027s HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn\u0027t start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-647",
                  "description": "CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-12T21:40:57.738Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac"
            },
            {
              "name": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml"
            },
            {
              "name": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml"
            },
            {
              "name": "https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass"
            }
          ],
          "source": {
            "advisory": "GHSA-3rg7-wf37-54rm",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony\u0027s incorrect parsing of PATH_INFO can lead to limited authorization bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64500",
        "datePublished": "2025-11-12T21:40:57.738Z",
        "dateReserved": "2025-11-05T19:12:25.103Z",
        "dateUpdated": "2025-11-13T16:50:55.341Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47946 (GCVE-0-2025-47946)

    Vulnerability from nvd – Published: 2025-05-19 19:25 – Updated: 2025-05-20 13:01
    VLAI
    Title
    symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes
    Summary
    Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` Those who use `symfony/ux-live-component` must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. As a workaround, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values. Instead, use `{{ attributes.render('name') }}` for safe output of individual attributes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony ux Affected: < 2.25.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47946",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-20T13:01:03.682812Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-20T13:01:10.237Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ux",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.25.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` Those who use `symfony/ux-live-component` must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. As a workaround, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values.\nInstead, use `{{ attributes.render(\u0027name\u0027) }}` for safe output of individual attributes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T19:25:19.350Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/ux/security/advisories/GHSA-5j3w-5pcr-f8hg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/ux/security/advisories/GHSA-5j3w-5pcr-f8hg"
            },
            {
              "name": "https://github.com/symfony/ux/commit/b5d1c85995c128cb926d47a96cfbfbd500b643a8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/commit/b5d1c85995c128cb926d47a96cfbfbd500b643a8"
            }
          ],
          "source": {
            "advisory": "GHSA-5j3w-5pcr-f8hg",
            "discovery": "UNKNOWN"
          },
          "title": "symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47946",
        "datePublished": "2025-05-19T19:25:19.350Z",
        "dateReserved": "2025-05-14T10:32:43.530Z",
        "dateUpdated": "2025-05-20T13:01:10.237Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51996 (GCVE-0-2024-51996)

    Vulnerability from nvd – Published: 2024-11-13 16:18 – Updated: 2024-11-13 18:49
    VLAI
    Title
    Symphony has an Authentication Bypass via RememberMe
    Summary
    Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-289 - Authentication Bypass by Alternate Name
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 5.3.0, < 5.4.47
    Affected: >= 6.0.0-BETA1, < 6.4.15
    Affected: >= 7.0.0-BETA1, < 7.1.8
    Create a notification for this product.
    symphony_php_framework symphony_process Affected: 0 , ≤ 5.3.0 (custom)
    Affected: 0 , < 5.4.47 (custom)
    Affected: 0 , ≤ 6.0.0-BETA1 (custom)
    Affected: 0 , < 6.4.15 (custom)
    Affected: 0 , ≤ 7.0.0-BETA1 (custom)
    Affected: 0 , < 7.1.8 (custom)
        cpe:2.3:a:symphony_php_framework:symphony_process:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:symphony_php_framework:symphony_process:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "symphony_process",
                "vendor": "symphony_php_framework",
                "versions": [
                  {
                    "lessThanOrEqual": "5.3.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "5.4.47",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThanOrEqual": "6.0.0-BETA1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "6.4.15",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThanOrEqual": "7.0.0-BETA1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "7.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51996",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T18:49:11.199886Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T18:49:31.776Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.0, \u003c 5.4.47"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-BETA1, \u003c 6.4.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.1.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-289",
                  "description": "CWE-289: Authentication Bypass by Alternate Name",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-13T16:18:49.473Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a"
            }
          ],
          "source": {
            "advisory": "GHSA-cg23-qf8f-62rr",
            "discovery": "UNKNOWN"
          },
          "title": "Symphony has an Authentication Bypass via RememberMe"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-51996",
        "datePublished": "2024-11-13T16:18:49.473Z",
        "dateReserved": "2024-11-04T17:46:16.776Z",
        "dateUpdated": "2024-11-13T18:49:31.776Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51736 (GCVE-0-2024-51736)

    Vulnerability from nvd – Published: 2024-11-06 20:51 – Updated: 2024-11-21 23:23
    VLAI
    Title
    Command execution hijack on Windows with Process class in symfony/process
    Summary
    Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.46
    Affected: >= 6.0.0, < 6.4.14
    Affected: >= 7.0.0, < 7.1.7
    Create a notification for this product.
    symfony symfony Affected: 0 , < 5.4.46 (custom)
    Affected: 6.0.0 , < 6.4.14 (custom)
    Affected: 7.0.0 , < 7.1.7 (custom)
        cpe:2.3:a:symfony:symfony:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:symfony:symfony:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "symfony",
                "vendor": "symfony",
                "versions": [
                  {
                    "lessThan": "5.4.46",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "6.4.14",
                    "status": "affected",
                    "version": "6.0.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "7.1.7",
                    "status": "affected",
                    "version": "7.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-21T23:20:34.134307Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-21T23:23:26.713Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.46"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.1.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 0,
                "baseSeverity": "NONE",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T20:51:38.536Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q"
            },
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q"
            }
          ],
          "source": {
            "advisory": "GHSA-qq5c-677p-737q",
            "discovery": "UNKNOWN"
          },
          "title": "Command execution hijack on Windows with Process class in symfony/process"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-51736",
        "datePublished": "2024-11-06T20:51:38.536Z",
        "dateReserved": "2024-10-31T14:12:45.788Z",
        "dateUpdated": "2024-11-21T23:23:26.713Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-50345 (GCVE-0-2024-50345)

    Vulnerability from nvd – Published: 2024-11-06 20:56 – Updated: 2025-11-03 19:31
    VLAI
    Title
    Open redirect via browser-sanitized URLs in symfony/http-foundation
    Summary
    symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.46
    Affected: >= 6.0.0, < 6.4.14
    Affected: >= 7.0.0, < 7.1.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50345",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T15:21:57.359493Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T15:22:48.319Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T19:31:47.017Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.46"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.1.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T20:56:21.062Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp"
            },
            {
              "name": "https://url.spec.whatwg.org",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://url.spec.whatwg.org"
            }
          ],
          "source": {
            "advisory": "GHSA-mrqx-rp3w-jpjp",
            "discovery": "UNKNOWN"
          },
          "title": "Open redirect via browser-sanitized URLs in symfony/http-foundation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-50345",
        "datePublished": "2024-11-06T20:56:21.062Z",
        "dateReserved": "2024-10-22T17:54:40.955Z",
        "dateUpdated": "2025-11-03T19:31:47.017Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-50343 (GCVE-0-2024-50343)

    Vulnerability from nvd – Published: 2024-11-06 21:00 – Updated: 2025-11-03 19:31
    VLAI
    Title
    Incorrect response from Validator when input ends with `\n` in symfony/validator
    Summary
    symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.43
    Affected: >= 6.0.0, < 6.4.11
    Affected: >= 7.0.0, < 7.1.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50343",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T15:25:47.383236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T15:25:56.212Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T19:31:45.637Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.43"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.1.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T21:00:55.266Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f"
            }
          ],
          "source": {
            "advisory": "GHSA-g3rh-rrhp-jhh9",
            "discovery": "UNKNOWN"
          },
          "title": "Incorrect response from Validator when input ends with `\\n` in symfony/validator"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-50343",
        "datePublished": "2024-11-06T21:00:55.266Z",
        "dateReserved": "2024-10-22T17:54:40.955Z",
        "dateUpdated": "2025-11-03T19:31:45.637Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-50342 (GCVE-0-2024-50342)

    Vulnerability from nvd – Published: 2024-11-06 21:03 – Updated: 2024-11-07 15:26
    VLAI
    Title
    Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client
    Summary
    symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.46
    Affected: >= 6.0.0, < 6.4.14
    Affected: >= 7.0.0, < 7.1.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50342",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T15:26:26.266702Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T15:26:33.540Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.46"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.1.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T21:03:12.331Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b"
            }
          ],
          "source": {
            "advisory": "GHSA-9c3x-r3wp-mgxm",
            "discovery": "UNKNOWN"
          },
          "title": "Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-50342",
        "datePublished": "2024-11-06T21:03:12.331Z",
        "dateReserved": "2024-10-22T17:54:40.955Z",
        "dateUpdated": "2024-11-07T15:26:33.540Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-50341 (GCVE-0-2024-50341)

    Vulnerability from nvd – Published: 2024-11-06 21:06 – Updated: 2024-11-07 15:27
    VLAI
    Title
    Security::login does not take into account custom user_checker in symfony/security-bundle
    Summary
    symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.2.0, < 6.4.10
    Affected: >= 7.0.0, < 7.0.10
    Affected: >= 7.1.0, < 7.1.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50341",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T15:26:59.288534Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T15:27:06.600Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.2.0, \u003c 6.4.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.1.0, \u003c 7.1.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to  unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T21:07:11.065Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105"
            }
          ],
          "source": {
            "advisory": "GHSA-jxgr-3v7q-3w9v",
            "discovery": "UNKNOWN"
          },
          "title": "Security::login does not take into account custom user_checker in symfony/security-bundle"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-50341",
        "datePublished": "2024-11-06T21:06:49.426Z",
        "dateReserved": "2024-10-22T17:54:40.955Z",
        "dateUpdated": "2024-11-07T15:27:06.600Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-50340 (GCVE-0-2024-50340)

    Vulnerability from nvd – Published: 2024-11-06 21:09 – Updated: 2024-11-07 15:29
    VLAI
    Title
    Ability to change environment from query in symfony/runtime
    Summary
    symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.46
    Affected: >= 6.0.0, < 6.4.14
    Affected: >= 7.0.0, < 7.1.7
    Create a notification for this product.
    sensiolabs symfony Affected: 0 , < 5.4.46 (custom)
    Affected: 6.0.0 , < 6.4.14 (custom)
    Affected: 7.0.0 , < 7.1.7 (custom)
        cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "symfony",
                "vendor": "sensiolabs",
                "versions": [
                  {
                    "lessThan": "5.4.46",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "6.4.14",
                    "status": "affected",
                    "version": "6.0.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "7.1.7",
                    "status": "affected",
                    "version": "7.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50340",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T15:27:34.309967Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T15:29:50.292Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.46"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.1.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T21:09:46.750Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa"
            }
          ],
          "source": {
            "advisory": "GHSA-x8vp-gf4q-mw5j",
            "discovery": "UNKNOWN"
          },
          "title": "Ability to change environment from query in symfony/runtime"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-50340",
        "datePublished": "2024-11-06T21:09:46.750Z",
        "dateReserved": "2024-10-22T17:54:40.955Z",
        "dateUpdated": "2024-11-07T15:29:50.292Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-55877 (GCVE-0-2026-55877)

    Vulnerability from cvelistv5 – Published: 2026-07-08 21:32 – Updated: 2026-07-09 14:40
    VLAI
    Title
    Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses
    Summary
    Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux_icon() Twig function is marked is_safe=['html'] and Icon::toHtml() inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested script elements, on* event handlers, or dangerous URL schemes to execute cross-site scripting. This issue is fixed in versions 2.36.1 and 3.2.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    symfony ux Affected: >= 2.17.0, < 2.36.1
    Affected: >= 3.0.0, < 3.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55877",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:21:00.657899Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:40:25.026Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ux",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.17.0, \u003c 2.36.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux_icon() Twig function is marked is_safe=[\u0027html\u0027] and Icon::toHtml() inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested script elements, on* event handlers, or dangerous URL schemes to execute cross-site scripting. This issue is fixed in versions 2.36.1 and 3.2.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T21:32:37.407Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/ux/security/advisories/GHSA-6v8j-33hc-mv84",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/ux/security/advisories/GHSA-6v8j-33hc-mv84"
            },
            {
              "name": "https://github.com/symfony/ux/commit/3a4964ec3700f0af4e13f7bfbf8bb3174c3e79d1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/commit/3a4964ec3700f0af4e13f7bfbf8bb3174c3e79d1"
            },
            {
              "name": "https://github.com/symfony/ux/releases/tag/v2.36.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/releases/tag/v2.36.1"
            },
            {
              "name": "https://github.com/symfony/ux/releases/tag/v3.2.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/releases/tag/v3.2.0"
            }
          ],
          "source": {
            "advisory": "GHSA-6v8j-33hc-mv84",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55877",
        "datePublished": "2026-07-08T21:32:37.407Z",
        "dateReserved": "2026-06-17T16:59:42.759Z",
        "dateUpdated": "2026-07-09T14:40:25.026Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55878 (GCVE-0-2026-55878)

    Vulnerability from cvelistv5 – Published: 2026-07-08 21:30 – Updated: 2026-07-09 14:19
    VLAI
    Title
    Symfony: Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Crafted Recipe Manifest
    Summary
    Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative() accepts paths like ../../../etc, a crafted or compromised kit can write attacker-controlled content to arbitrary locations or read local files outside the recipe directory. This issue is fixed in versions 2.36.1 and 3.2.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    symfony ux Affected: >= 2.32.0, < 2.36.1
    Affected: >= 3.0.0, < 3.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55878",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:18:56.012444Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:19:07.068Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ux",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.32.0, \u003c 2.36.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative() accepts paths like ../../../etc, a crafted or compromised kit can write attacker-controlled content to arbitrary locations or read local files outside the recipe directory. This issue is fixed in versions 2.36.1 and 3.2.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T21:30:33.816Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/ux/security/advisories/GHSA-p9xj-fpr2-jf2q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/ux/security/advisories/GHSA-p9xj-fpr2-jf2q"
            },
            {
              "name": "https://github.com/symfony/ux/commit/7b4ddf3764bf269a1b5fde5bf03c4bce568694e4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/commit/7b4ddf3764bf269a1b5fde5bf03c4bce568694e4"
            },
            {
              "name": "https://github.com/symfony/ux/releases/tag/v2.36.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/releases/tag/v2.36.1"
            },
            {
              "name": "https://github.com/symfony/ux/releases/tag/v3.2.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/releases/tag/v3.2.0"
            }
          ],
          "source": {
            "advisory": "GHSA-p9xj-fpr2-jf2q",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Crafted Recipe Manifest"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55878",
        "datePublished": "2026-07-08T21:30:33.816Z",
        "dateReserved": "2026-06-17T16:59:42.759Z",
        "dateUpdated": "2026-07-09T14:19:07.068Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24425 (GCVE-0-2026-24425)

    Vulnerability from cvelistv5 – Published: 2026-05-20 13:45 – Updated: 2026-05-20 15:44 X_Open Source
    VLAI
    Title
    Twig 2.16.x & 3.9.0-3.25.x Sandbox Bypass via SourcePolicyInterface
    Summary
    Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-693 - Protection Mechanism Failure
    Assigner
    Impacted products
    Vendor Product Version
    twigphp Twig Affected: 3.9.0 , < 3.26.0 (semver)
    Affected: 2.16.* (custom)
    Create a notification for this product.
    Date Public
    2026-05-20 00:00
    Credits
    Nicolò Ribaudo Fabien Potencier VulnCheck
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24425",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-20T15:43:54.656189Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-20T15:44:33.359Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Twig",
              "repo": "https://github.com/twigphp/Twig",
              "vendor": "twigphp",
              "versions": [
                {
                  "lessThan": "3.26.0",
                  "status": "affected",
                  "version": "3.9.0",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "2.16.*",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nicol\u00f2 Ribaudo"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Fabien Potencier"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulnCheck"
            }
          ],
          "datePublic": "2026-05-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eTwig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.\u003c/p\u003e"
                }
              ],
              "value": "Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-693",
                  "description": "CWE-693 Protection Mechanism Failure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-20T13:45:43.338Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/twigphp/Twig/security/advisories/GHSA-2q52-x2ff-qgfr"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/twig-x-x-sandbox-bypass-via-sourcepolicyinterface"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "Twig 2.16.x \u0026 3.9.0-3.25.x Sandbox Bypass via SourcePolicyInterface",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-24425",
        "datePublished": "2026-05-20T13:45:02.413Z",
        "dateReserved": "2026-01-22T20:23:19.801Z",
        "dateUpdated": "2026-05-20T15:44:33.359Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24739 (GCVE-0-2026-24739)

    Vulnerability from cvelistv5 – Published: 2026-01-28 20:25 – Updated: 2026-01-29 18:01
    VLAI
    Title
    Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.51
    Affected: >= 6.4.0, < 6.4.33
    Affected: >= 7.3.0, < 7.3.11
    Affected: >= 7.4.0, < 7.4.5
    Affected: >= 8.0.0 , < 8.0.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24739",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-29T16:03:49.659737Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-29T18:01:36.510Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.51"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.4.0, \u003c 6.4.33"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.3.0, \u003c 7.3.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.4.0, \u003c 7.4.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0 , \u003c 8.0.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as \u201cspecial\u201d when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2\u2019s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one\u0027s own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-88",
                  "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-28T20:25:21.500Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6"
            },
            {
              "name": "https://github.com/symfony/symfony/issues/62921",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/issues/62921"
            },
            {
              "name": "https://github.com/symfony/symfony/pull/63164",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/pull/63164"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b"
            }
          ],
          "source": {
            "advisory": "GHSA-r39x-jcww-82v6",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-24739",
        "datePublished": "2026-01-28T20:25:21.500Z",
        "dateReserved": "2026-01-26T19:06:16.059Z",
        "dateUpdated": "2026-01-29T18:01:36.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64500 (GCVE-0-2025-64500)

    Vulnerability from cvelistv5 – Published: 2025-11-12 21:40 – Updated: 2025-11-13 16:50
    VLAI
    Title
    Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 2.0.0, < 5.4.50
    Affected: >= 6.0.0, < 6.4.29
    Affected: >= 7.0.0, < 7.3.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64500",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-13T16:50:43.104313Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-13T16:50:55.341Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 5.4.50"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.29"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.3.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony\u0027s HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn\u0027t start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-647",
                  "description": "CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-12T21:40:57.738Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac"
            },
            {
              "name": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml"
            },
            {
              "name": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml"
            },
            {
              "name": "https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass"
            }
          ],
          "source": {
            "advisory": "GHSA-3rg7-wf37-54rm",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony\u0027s incorrect parsing of PATH_INFO can lead to limited authorization bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64500",
        "datePublished": "2025-11-12T21:40:57.738Z",
        "dateReserved": "2025-11-05T19:12:25.103Z",
        "dateUpdated": "2025-11-13T16:50:55.341Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47946 (GCVE-0-2025-47946)

    Vulnerability from cvelistv5 – Published: 2025-05-19 19:25 – Updated: 2025-05-20 13:01
    VLAI
    Title
    symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes
    Summary
    Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` Those who use `symfony/ux-live-component` must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. As a workaround, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values. Instead, use `{{ attributes.render('name') }}` for safe output of individual attributes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony ux Affected: < 2.25.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47946",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-20T13:01:03.682812Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-20T13:01:10.237Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ux",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.25.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` Those who use `symfony/ux-live-component` must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. As a workaround, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values.\nInstead, use `{{ attributes.render(\u0027name\u0027) }}` for safe output of individual attributes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T19:25:19.350Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/ux/security/advisories/GHSA-5j3w-5pcr-f8hg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/ux/security/advisories/GHSA-5j3w-5pcr-f8hg"
            },
            {
              "name": "https://github.com/symfony/ux/commit/b5d1c85995c128cb926d47a96cfbfbd500b643a8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/ux/commit/b5d1c85995c128cb926d47a96cfbfbd500b643a8"
            }
          ],
          "source": {
            "advisory": "GHSA-5j3w-5pcr-f8hg",
            "discovery": "UNKNOWN"
          },
          "title": "symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47946",
        "datePublished": "2025-05-19T19:25:19.350Z",
        "dateReserved": "2025-05-14T10:32:43.530Z",
        "dateUpdated": "2025-05-20T13:01:10.237Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51996 (GCVE-0-2024-51996)

    Vulnerability from cvelistv5 – Published: 2024-11-13 16:18 – Updated: 2024-11-13 18:49
    VLAI
    Title
    Symphony has an Authentication Bypass via RememberMe
    Summary
    Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-289 - Authentication Bypass by Alternate Name
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 5.3.0, < 5.4.47
    Affected: >= 6.0.0-BETA1, < 6.4.15
    Affected: >= 7.0.0-BETA1, < 7.1.8
    Create a notification for this product.
    symphony_php_framework symphony_process Affected: 0 , ≤ 5.3.0 (custom)
    Affected: 0 , < 5.4.47 (custom)
    Affected: 0 , ≤ 6.0.0-BETA1 (custom)
    Affected: 0 , < 6.4.15 (custom)
    Affected: 0 , ≤ 7.0.0-BETA1 (custom)
    Affected: 0 , < 7.1.8 (custom)
        cpe:2.3:a:symphony_php_framework:symphony_process:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:symphony_php_framework:symphony_process:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "symphony_process",
                "vendor": "symphony_php_framework",
                "versions": [
                  {
                    "lessThanOrEqual": "5.3.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "5.4.47",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThanOrEqual": "6.0.0-BETA1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "6.4.15",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThanOrEqual": "7.0.0-BETA1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "7.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51996",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T18:49:11.199886Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T18:49:31.776Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.0, \u003c 5.4.47"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0-BETA1, \u003c 6.4.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.1.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-289",
                  "description": "CWE-289: Authentication Bypass by Alternate Name",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-13T16:18:49.473Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a"
            }
          ],
          "source": {
            "advisory": "GHSA-cg23-qf8f-62rr",
            "discovery": "UNKNOWN"
          },
          "title": "Symphony has an Authentication Bypass via RememberMe"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-51996",
        "datePublished": "2024-11-13T16:18:49.473Z",
        "dateReserved": "2024-11-04T17:46:16.776Z",
        "dateUpdated": "2024-11-13T18:49:31.776Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-50340 (GCVE-0-2024-50340)

    Vulnerability from cvelistv5 – Published: 2024-11-06 21:09 – Updated: 2024-11-07 15:29
    VLAI
    Title
    Ability to change environment from query in symfony/runtime
    Summary
    symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.46
    Affected: >= 6.0.0, < 6.4.14
    Affected: >= 7.0.0, < 7.1.7
    Create a notification for this product.
    sensiolabs symfony Affected: 0 , < 5.4.46 (custom)
    Affected: 6.0.0 , < 6.4.14 (custom)
    Affected: 7.0.0 , < 7.1.7 (custom)
        cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "symfony",
                "vendor": "sensiolabs",
                "versions": [
                  {
                    "lessThan": "5.4.46",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "6.4.14",
                    "status": "affected",
                    "version": "6.0.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "7.1.7",
                    "status": "affected",
                    "version": "7.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50340",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T15:27:34.309967Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T15:29:50.292Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.46"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.1.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T21:09:46.750Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa"
            }
          ],
          "source": {
            "advisory": "GHSA-x8vp-gf4q-mw5j",
            "discovery": "UNKNOWN"
          },
          "title": "Ability to change environment from query in symfony/runtime"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-50340",
        "datePublished": "2024-11-06T21:09:46.750Z",
        "dateReserved": "2024-10-22T17:54:40.955Z",
        "dateUpdated": "2024-11-07T15:29:50.292Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-50341 (GCVE-0-2024-50341)

    Vulnerability from cvelistv5 – Published: 2024-11-06 21:06 – Updated: 2024-11-07 15:27
    VLAI
    Title
    Security::login does not take into account custom user_checker in symfony/security-bundle
    Summary
    symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.2.0, < 6.4.10
    Affected: >= 7.0.0, < 7.0.10
    Affected: >= 7.1.0, < 7.1.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50341",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T15:26:59.288534Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T15:27:06.600Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.2.0, \u003c 6.4.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.0.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.1.0, \u003c 7.1.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to  unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T21:07:11.065Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105"
            }
          ],
          "source": {
            "advisory": "GHSA-jxgr-3v7q-3w9v",
            "discovery": "UNKNOWN"
          },
          "title": "Security::login does not take into account custom user_checker in symfony/security-bundle"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-50341",
        "datePublished": "2024-11-06T21:06:49.426Z",
        "dateReserved": "2024-10-22T17:54:40.955Z",
        "dateUpdated": "2024-11-07T15:27:06.600Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-50342 (GCVE-0-2024-50342)

    Vulnerability from cvelistv5 – Published: 2024-11-06 21:03 – Updated: 2024-11-07 15:26
    VLAI
    Title
    Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client
    Summary
    symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.46
    Affected: >= 6.0.0, < 6.4.14
    Affected: >= 7.0.0, < 7.1.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50342",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T15:26:26.266702Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T15:26:33.540Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.46"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.1.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T21:03:12.331Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b"
            }
          ],
          "source": {
            "advisory": "GHSA-9c3x-r3wp-mgxm",
            "discovery": "UNKNOWN"
          },
          "title": "Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-50342",
        "datePublished": "2024-11-06T21:03:12.331Z",
        "dateReserved": "2024-10-22T17:54:40.955Z",
        "dateUpdated": "2024-11-07T15:26:33.540Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-50343 (GCVE-0-2024-50343)

    Vulnerability from cvelistv5 – Published: 2024-11-06 21:00 – Updated: 2025-11-03 19:31
    VLAI
    Title
    Incorrect response from Validator when input ends with `\n` in symfony/validator
    Summary
    symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.43
    Affected: >= 6.0.0, < 6.4.11
    Affected: >= 7.0.0, < 7.1.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50343",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T15:25:47.383236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T15:25:56.212Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T19:31:45.637Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.43"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.1.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T21:00:55.266Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f"
            }
          ],
          "source": {
            "advisory": "GHSA-g3rh-rrhp-jhh9",
            "discovery": "UNKNOWN"
          },
          "title": "Incorrect response from Validator when input ends with `\\n` in symfony/validator"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-50343",
        "datePublished": "2024-11-06T21:00:55.266Z",
        "dateReserved": "2024-10-22T17:54:40.955Z",
        "dateUpdated": "2025-11-03T19:31:45.637Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-50345 (GCVE-0-2024-50345)

    Vulnerability from cvelistv5 – Published: 2024-11-06 20:56 – Updated: 2025-11-03 19:31
    VLAI
    Title
    Open redirect via browser-sanitized URLs in symfony/http-foundation
    Summary
    symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: < 5.4.46
    Affected: >= 6.0.0, < 6.4.14
    Affected: >= 7.0.0, < 7.1.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50345",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T15:21:57.359493Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T15:22:48.319Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T19:31:47.017Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.46"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.1.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T20:56:21.062Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp"
            },
            {
              "name": "https://url.spec.whatwg.org",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://url.spec.whatwg.org"
            }
          ],
          "source": {
            "advisory": "GHSA-mrqx-rp3w-jpjp",
            "discovery": "UNKNOWN"
          },
          "title": "Open redirect via browser-sanitized URLs in symfony/http-foundation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-50345",
        "datePublished": "2024-11-06T20:56:21.062Z",
        "dateReserved": "2024-10-22T17:54:40.955Z",
        "dateUpdated": "2025-11-03T19:31:47.017Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CERTFR-2026-AVI-0653

    Vulnerability from certfr_avis - Published: 2026-05-27 - Updated: 2026-05-27

    De multiples vulnérabilités ont été découvertes dans Symfony. Certaines d'entre elles permettent à un attaquant de provoquer une falsification de requêtes côté serveur (SSRF), une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Symfony Symfony Symfony versions 8.0.x antérieures à 8.0.13
    Symfony Symfony Symfony versions 6.4.x antérieures à 6.4.41
    Symfony Symfony Symfony versions antérieures à 5.4.53
    Symfony Symfony Symfony versions 7.0.x antérieures à 7.4.13
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Symfony versions 8.0.x ant\u00e9rieures \u00e0 8.0.13",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symfony versions 6.4.x ant\u00e9rieures \u00e0 6.4.41",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symfony versions ant\u00e9rieures \u00e0 5.4.53",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symfony versions 7.0.x ant\u00e9rieures \u00e0 7.4.13",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2026-48760",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48760"
        },
        {
          "name": "CVE-2026-48761",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48761"
        },
        {
          "name": "CVE-2026-48747",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48747"
        },
        {
          "name": "CVE-2026-48784",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48784"
        },
        {
          "name": "CVE-2026-48736",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48736"
        },
        {
          "name": "CVE-2026-48489",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48489"
        }
      ],
      "initial_release_date": "2026-05-27T00:00:00",
      "last_revision_date": "2026-05-27T00:00:00",
      "links": [],
      "reference": "CERTFR-2026-AVI-0653",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2026-05-27T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        },
        {
          "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Symfony. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF), une injection de code indirecte \u00e0 distance (XSS) et un contournement de la politique de s\u00e9curit\u00e9.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Symfony",
      "vendor_advisories": [
        {
          "published_at": "2026-05-27",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-h5x3-xfc9-m39h",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-h5x3-xfc9-m39h"
        },
        {
          "published_at": "2026-05-27",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-rrj9-5q2j-4gvr",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-rrj9-5q2j-4gvr"
        },
        {
          "published_at": "2026-05-27",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-6h46-9jf5-q59x",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-6h46-9jf5-q59x"
        },
        {
          "published_at": "2026-05-27",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-v3wm-qf9p-c549",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-v3wm-qf9p-c549"
        },
        {
          "published_at": "2026-05-27",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-x5qj-865h-mgvm",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-x5qj-865h-mgvm"
        },
        {
          "published_at": "2026-05-27",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-38cx-cq6f-5755",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-38cx-cq6f-5755"
        }
      ]
    }

    CERTFR-2026-AVI-0617

    Vulnerability from certfr_avis - Published: 2026-05-20 - Updated: 2026-05-20

    De multiples vulnérabilités ont été découvertes dans Symfony. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une injection de code indirecte à distance (XSS) et une injection de requêtes illégitimes par rebond (CSRF).

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Symfony Symfony symfony/symfony versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/symfony versions <5.4.x antérieures à 5.4.52 pour composer
    Symfony Symfony symfony/symfony versions antérieures à 7.4.12 pour composer
    Symfony Symfony symfony/mime versions <5.4.x antérieures à 5.4.52 pour composer
    Symfony Symfony symfony/yaml versions antérieures à 7.4.12 pour composer
    Symfony Symfony symfony/monolog-bridge versions antérieures à 7.4.12 pour composer
    Symfony Symfony symfony/twilio-notifier versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/runtime versions antérieures à 7.4.12 pour composer
    Symfony Symfony symfony/yaml versions <5.4.x antérieures à 5.4.52 pour composer
    Symfony Symfony symfony/twilio-notifier versions antérieures à 6.4.40 pour composer
    Symfony Symfony symfony/yaml versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/html-sanitizer versions antérieures à 6.4.40 pour composer
    Symfony Symfony symfony/html-sanitizer versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/mime versions antérieures à 7.4.12 pour composer
    Symfony Symfony symfony/yaml versions antérieures à 6.4.40 pour composer
    Symfony Symfony symfony/mailtrap-mailer versions antérieures à 7.4.12 pour composer
    Symfony Symfony symfony/mailtrap-mailer versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/monolog-bridge versions <5.4.x antérieures à 5.4.52 pour composer
    Symfony Symfony symfony/symfony versions antérieures à 6.4.40 pour composer
    Symfony Symfony symfony/lox24-notifier versions antérieures à 7.4.12 pour composer
    Symfony Symfony symfony/lox24-notifier versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/mailjet-mailer versions antérieures à 6.4.40 pour composer
    Symfony Symfony symfony/json-path versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/monolog-bridge versions antérieures à 6.4.40 pour composer
    Symfony Symfony symfony/twilio-notifier versions antérieures à 7.4.12 pour composer
    Symfony Symfony symfony/runtime versions antérieures à 5.4.52 pour composer
    Symfony Symfony symfony/mailjet-mailer versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/runtime versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/runtime versions antérieures à 6.4.40 pour composer
    Symfony Symfony symfony/symfony versions antérieures à 5.4.52 pour composer
    Symfony Symfony symfony/monolog-bridge versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/mime versions antérieures à 6.4.40 pour composer
    Symfony Symfony symfony/mime versions antérieures à 8.0.12 pour composer
    Symfony Symfony symfony/html-sanitizer versions antérieures à 7.4.12 pour composer
    Symfony Symfony symfony/mailjet-mailer versions antérieures à 7.4.12 pour composer
    Symfony Symfony symfony/json-path versions antérieures à 7.4.12 pour composer

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "symfony/symfony versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/symfony versions \u003c5.4.x ant\u00e9rieures \u00e0 5.4.52 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/symfony versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/mime versions \u003c5.4.x ant\u00e9rieures \u00e0 5.4.52 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/yaml versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/monolog-bridge versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/twilio-notifier versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/runtime versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/yaml versions \u003c5.4.x ant\u00e9rieures \u00e0 5.4.52 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/twilio-notifier versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/yaml versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/html-sanitizer versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/html-sanitizer versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/mime versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/yaml versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/mailtrap-mailer versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/mailtrap-mailer versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/monolog-bridge versions \u003c5.4.x ant\u00e9rieures \u00e0 5.4.52 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/symfony versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/lox24-notifier versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/lox24-notifier versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/mailjet-mailer versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/json-path versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/monolog-bridge versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/twilio-notifier versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/runtime versions ant\u00e9rieures \u00e0 5.4.52 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/mailjet-mailer versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/runtime versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/runtime versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/symfony versions ant\u00e9rieures \u00e0 5.4.52 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/monolog-bridge versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/mime versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/mime versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/html-sanitizer versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/mailjet-mailer versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "symfony/json-path versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2026-45304",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45304"
        },
        {
          "name": "CVE-2026-46626",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46626"
        },
        {
          "name": "CVE-2026-45077",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45077"
        },
        {
          "name": "CVE-2026-45753",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45753"
        },
        {
          "name": "CVE-2026-45756",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45756"
        },
        {
          "name": "CVE-2026-45755",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45755"
        },
        {
          "name": "CVE-2026-45305",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45305"
        },
        {
          "name": "CVE-2026-45754",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45754"
        },
        {
          "name": "CVE-2026-45070",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45070"
        },
        {
          "name": "CVE-2026-47212",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47212"
        }
      ],
      "initial_release_date": "2026-05-20T00:00:00",
      "last_revision_date": "2026-05-20T00:00:00",
      "links": [],
      "reference": "CERTFR-2026-AVI-0617",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2026-05-20T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "D\u00e9ni de service \u00e0 distance"
        },
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Symfony. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une injection de code indirecte \u00e0 distance (XSS) et une injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF).",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Symfony",
      "vendor_advisories": [
        {
          "published_at": "2026-05-20",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-vqc8-7275-q272",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-vqc8-7275-q272"
        },
        {
          "published_at": "2026-05-20",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-64hg-93w9-fc35",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-64hg-93w9-fc35"
        },
        {
          "published_at": "2026-05-20",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-fqc7-9xjw-jrh3",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-fqc7-9xjw-jrh3"
        },
        {
          "published_at": "2026-05-20",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-9frc-8383-795m",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m"
        },
        {
          "published_at": "2026-05-20",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-8v8v-g73j-492j",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-8v8v-g73j-492j"
        },
        {
          "published_at": "2026-05-20",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-59f3-vp2f-mp9w",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-59f3-vp2f-mp9w"
        },
        {
          "published_at": "2026-05-20",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-4qpc-3hr4-r2p4",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4"
        },
        {
          "published_at": "2026-05-20",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-hhg7-c65m-h7ff",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-hhg7-c65m-h7ff"
        },
        {
          "published_at": "2026-05-20",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-55rj-x2vc-4whq",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-55rj-x2vc-4whq"
        },
        {
          "published_at": "2026-05-20",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-m7v2-7gxm-vc2v",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-m7v2-7gxm-vc2v"
        }
      ]
    }

    CERTFR-2026-AVI-0098

    Vulnerability from certfr_avis - Published: 2026-01-28 - Updated: 2026-01-28

    Une vulnérabilité a été découverte dans les produits Symfony. Elle permet à un attaquant de provoquer une atteinte à l'intégrité des données.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Symfony Symfony Symphony versions antérieures à 5.4.51 pour Windows
    Symfony Symfony Symphony versions 7.4.x antérieures à 7.4.5 pour Windows
    Symfony Symfony Symphony versions 7.3.x antérieures à 7.3.11 pour Windows
    Symfony Symfony Symphony versions 8.0.x antérieures à 8.0.5 pour Windows
    Symfony Symfony Symphony versions 6.4.x antérieures à 6.4.33 pour Windows
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Symphony versions ant\u00e9rieures \u00e0 5.4.51 pour Windows",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symphony versions 7.4.x ant\u00e9rieures \u00e0 7.4.5 pour Windows",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symphony versions 7.3.x ant\u00e9rieures \u00e0 7.3.11 pour Windows",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symphony versions 8.0.x ant\u00e9rieures \u00e0 8.0.5 pour Windows",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symphony versions 6.4.x ant\u00e9rieures \u00e0 6.4.33 pour Windows",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2026-24739",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-24739"
        }
      ],
      "initial_release_date": "2026-01-28T00:00:00",
      "last_revision_date": "2026-01-28T00:00:00",
      "links": [],
      "reference": "CERTFR-2026-AVI-0098",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2026-01-28T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
        }
      ],
      "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans les produits Symfony. Elle permet \u00e0 un attaquant de provoquer une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
      "title": "Vuln\u00e9rabilit\u00e9 dans les produits Symfony",
      "vendor_advisories": [
        {
          "published_at": "2026-01-28",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-r39x-jcww-82v6",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6"
        }
      ]
    }

    CERTFR-2025-AVI-0999

    Vulnerability from certfr_avis - Published: 2025-11-13 - Updated: 2025-11-13

    Une vulnérabilité a été découverte dans les produits Symfony. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Symfony Symfony Symfony versions 7.x antérieures à 7.3.7 pour composer
    Symfony Symfony Symfony versions 6.x antérieures à 6.4.29 pour composer
    Symfony Symfony Symfony versions antérieures à 5.4.50 pour composer
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Symfony versions 7.x ant\u00e9rieures \u00e0 7.3.7 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symfony versions 6.x ant\u00e9rieures \u00e0 6.4.29 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symfony versions ant\u00e9rieures \u00e0 5.4.50 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2025-64500",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-64500"
        }
      ],
      "initial_release_date": "2025-11-13T00:00:00",
      "last_revision_date": "2025-11-13T00:00:00",
      "links": [],
      "reference": "CERTFR-2025-AVI-0999",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2025-11-13T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans les produits Symfony. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
      "title": "Vuln\u00e9rabilit\u00e9 dans les produits Symfony",
      "vendor_advisories": [
        {
          "published_at": "2025-11-12",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-3rg7-wf37-54rm",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm"
        }
      ]
    }

    CERTFR-2024-AVI-0984

    Vulnerability from certfr_avis - Published: 2024-11-14 - Updated: 2024-11-14

    Une vulnérabilité a été découverte dans les produits Symfony. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Symfony Symfony Symfony versions 6.x antérieures à 6.4.15 pour composer
    Symfony Symfony Symfony versions 7.x antérieures à 7.1.8 pour composer
    Symfony Symfony Symfony versions 5.x antérieures à 5.4.47 pour composer
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Symfony versions 6.x ant\u00e9rieures \u00e0 6.4.15 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symfony versions 7.x ant\u00e9rieures \u00e0 7.1.8 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        },
        {
          "description": "Symfony versions 5.x ant\u00e9rieures \u00e0 5.4.47 pour composer",
          "product": {
            "name": "Symfony",
            "vendor": {
              "name": "Symfony",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2024-51996",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-51996"
        }
      ],
      "initial_release_date": "2024-11-14T00:00:00",
      "last_revision_date": "2024-11-14T00:00:00",
      "links": [],
      "reference": "CERTFR-2024-AVI-0984",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2024-11-14T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans les produits Symfony. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
      "title": "Vuln\u00e9rabilit\u00e9 dans les produits Symfony",
      "vendor_advisories": [
        {
          "published_at": "2024-11-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-cg23-qf8f-62rr",
          "url": "https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr"
        }
      ]
    }