Lucene search
K

171 matches found

NVD
NVD
added 2 days ago4 views

CVE-2026-48747

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.13 and 8.0.13, MailomatRequestParser::validateSignature parsed X-MOM-Webhook-Signature as algo=signature and passed the request-selected algorithm to hashhmac, allowing a signature...

6.3CVSS0.00237EPSS
Exploits0References4
NVD
NVD
added 2 days ago4 views

CVE-2026-48489

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, DefaultAuthenticationFailureHandler honored the request-supplied failurepath parameter when failureforward: true was enabled, allowing an unauthenticated...

8.7CVSS0.00487EPSS
Exploits0References5
NVD
NVD
added 2 days ago4 views

CVE-2026-48736

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.0 to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, NoPrivateNetworkHttpClient and IpUtils::PRIVATESUBNETS omitted IPv6 transition prefixes such as 6to4, NAT64, Teredo, and IPv4-compatible IPv6, allowi...

6.9CVSS0.00457EPSS
Exploits0References6
NVD
NVD
added 2 days ago4 views

CVE-2026-45754

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST...

6.9CVSS0.00458EPSS
Exploits0References6
NVD
NVD
added 2 days ago4 views

CVE-2026-45305

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser::cleanup used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup,...

8.7CVSS0.00663EPSS
Exploits0References6
NVD
NVD
added 2 days ago4 views

CVE-2026-45755

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, MailtrapRequestParser::doParse received the configured webhook secret but ignored the X-Mt-Signature HMAC header, allowing unauthenticated POST requests to inject forged...

6.9CVSS0.00303EPSS
Exploits0References4
NVD
NVD
added 2 days ago4 views

CVE-2026-45073

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, PdoAdapter::doClear builds a DELETE statement using a namespace derived from the caller-supplied $prefix without binding or escaping it, allowing a caller...

7.3CVSS0.00536EPSS
Exploits0References6
NVD
NVD
added 2 days ago4 views

CVE-2026-45075

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, method-scoped IsGranted, IsSignatureValid, and IsCsrfTokenValid attributes can be configured for GET only, but Symfony routes HEAD requests to the GET handler while the...

8.3CVSS0.00511EPSS
Exploits0References3
NVD
NVD
added 2 days ago4 views

CVE-2026-45064

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized...

6.1CVSS0.00466EPSS
Exploits0References5
CVE
CVE
added 2 days ago20 views

CVE-2026-48747

Summary: CVE-2026-48747 affects Symfony’s Mailomat webhook parser. The MailomatRequestParser::validateSignature() method reads the X-MOM-Webhook-Signature header and passes the wire-provided algorithm directly to hash_hmac(), enabling a signature algorithm downgrade instead of enforcing SHA-256 a...

6.3CVSS6.1AI score0.00237EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2 days ago27 views

CVE-2026-45305

Summary of CVE-2026-45305 (Symfony YAML Parser ReDoS) Symfony’s YAML handling (Symfony\Component\Yaml\Parser::cleanup) can hang parsing crafted input due to the use of overlapping quantifiers in regular expressions for YAML directive, comment, and document marker cleanup. This is a client-side pa...

8.7CVSS6.1AI score0.00663EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2 days ago42 views

CVE-2026-45069

CVE-2026-45069 concerns Symfony’s OidcTokenHandler, where verifyClaims() registered aud/iss/exp checkers but did not pass the mandatory claims list to ClaimCheckerManager::check(). Consequently, a validly signed JWT missing these claims could pass verification. The issue is fixed in Symfony relea...

9.1CVSS6.1AI score0.00242EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2 days ago24 views

CVE-2026-45753

Symfony HtmlSanitizer UrlAttributeSanitizer omits action, formaction, poster, and cite URL-valued attributes, allowing javascript: URIs to bypass sanitization and enable XSS when forms or buttons are used. Affected: Symfony components prior to versions 6.4.40, 7.4.12, and 8.0.12. Mitigation: upgr...

6.1CVSS6.1AI score0.00482EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2 days ago3 views

CVE-2026-45074

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 7.1.0 until 7.4.12 and 8.0.12, Cas2Handler builds the CAS service parameter from Request::getSchemeAndHttpHost, which reflects an attacker-controlled Host header when framework.trustedhosts is n...

8.1CVSS0.00468EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/09 9:58 p.m.4 views

Interpretation Conflict

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Interpretation Conflict via the SymfonyRuntime::getInput process. An attacker can modify environment variables and enable debug mode by sendin...

9.8CVSS5.8AI score0.00328EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/02 12:0 a.m.12 views

Debian dsa-6317 : php-symfony - security update

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6317 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6317-1 [email protected] https://www.debian.org/securit...

9.1CVSS6.2AI score0.63422EPSS
Exploits0References32
Debian
Debian
added 2026/05/31 12:26 p.m.14 views

[SECURITY] [DSA 6312-1] symfony security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6312-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 31, 2026 https://www.debian.org/security/faq -...

7.3CVSS7.4AI score0.63422EPSS
Exploits0
Snyk
Snyk
added 2026/05/27 9:41 a.m.11 views

Server-side Request Forgery (SSRF)

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF. The NoPrivateNetworkHttpClient is designed to be a security boundary that blocks requests to private/interna...

8.8CVSS5.8AI score0.00457EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 9:41 a.m.24 views

Authentication Bypass Using an Alternate Path or Channel

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via failureforward Subrequest. An attacker could manipulate the failurepath parameter...

8.7CVSS5.8AI score0.00487EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 9:41 a.m.10 views

Improper Verification of Cryptographic Signature

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the webhook request parser. The validateSignature method extracts the...

9.1CVSS5.8AI score0.00237EPSS
Exploits0References2
Rows per page
Query Builder