4 matches found
CVE-2026-48489
CVE-2026-48489 (Symfony) : A logic flaw in the DefaultAuthenticationFailureHandler with failure_forward enabled allowed an unauthenticated login failure to dispatch a subrequest to access_control-protected GET routes, bypassing firewall listeners. This affected Symfony versions prior to 5.4.53, 6...
GHSA-6H46-9JF5-Q59X Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes
Description When a firewall is configured with form-login or any authenticator using DefaultAuthenticationFailureHandler and the failureforward: true option, the handler reads the failurepath parameter from the failing login request and uses it as the path of an internal subrequest dispatched...
Authentication Bypass Using an Alternate Path or Channel
Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via failureforward Subrequest. An attacker could manipulate the failurepath parameter...
CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes
More info at https://symfony.com/cve-2026-48489...