Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows

🗓️ 28 Jan 2026 21:28:10Reported by GitHub Advisory DatabaseType

Symfony Process on Windows with MSYS2 can misescape arguments like =, risking destructive file operations.

Reporter	Title	Published	Views	Family All 20
ATTACKERKB	CVE-2026-24739	28 Jan 202620:25	–	attackerkb
Chainguard	CVE-2026-24739 vulnerabilities	17 Feb 202619:17	–	cgr
Circl	CVE-2026-24739	28 Jan 202611:10	–	circl
CNNVD	Symfony parameter injection vulnerability	28 Jan 202600:00	–	cnnvd
CVE	CVE-2026-24739	28 Jan 202620:25	–	cve
Cvelist	CVE-2026-24739 Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations	28 Jan 202620:25	–	cvelist
Debian CVE	CVE-2026-24739	28 Jan 202620:25	–	debiancve
EUVD	EUVD-2026-4873	28 Jan 202620:25	–	euvd
NVD	CVE-2026-24739	28 Jan 202621:16	–	nvd
OSV	CGA-5WM9-Q22J-WRJ8	16 Feb 202610:16	–	osv

Vulners

Node

symfony symfonyRange8.0–8.0.5composer

symfony symfonyRange7.4–7.4.5composer

symfony symfonyRange7.3–7.3.11composer

symfony symfonyRange6.4–6.4.33composer

symfony symfonyRange<5.4.51composer

symfony symfony_processRange8.0–8.0.5composer

symfony symfony_processRange7.4–7.4.5composer

symfony symfony_processRange7.3–7.3.11composer

symfony symfony_processRange6.4–6.4.33composer

Source	Link
github	www.github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6
github	www.github.com/symfony/symfony/issues/62921
github	www.github.com/symfony/symfony/pull/63164
github	www.github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3
github	www.github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-24739
github	www.github.com/advisories/GHSA-r39x-jcww-82v6

29 Jan 2026 03:50Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.16.3

EPSS0.00012

SSVC