CVE-2024-50340

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the registerargvargc php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by...

CVE-2024-51996

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. Th...

CVE-2025-24013

CodeIgniter (PHP full‑stack framework) has a header validation issue prior to version 4.5.8 in the Header class, allowing construction of deliberately malformed HTTP headers. This could disrupt application functionality and potentially produce invalid HTTP requests; in some cases, remote service ...

CVE-2024-53277 Cross-site Scripting in form messages in silverstripe framework

Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. The...

CVE-2024-51996 Symphony has an Authentication Bypass via RememberMe

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. Th...

CVE-2024-51996 Symphony has an Authentication Bypass via RememberMe

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. Th...

CVE-2024-51996

CVE-2024-51996 affects Symfony’s security-http implementation. When a persisted remember-me cookie is used, Symfony does not validate the cookie’s username against the database, allowing an authentication bypass. The issue is fixed in Symfony versions 5.4.47, 6.4.15, and 7.1.8. Public details des...

CVE-2024-51996 Symphony has an Authentication Bypass via RememberMe

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. Th...

CVE-2024-51736

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijackin...

CVE-2024-50340 Ability to change environment from query in symfony/runtime

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the registerargvargc php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by...

CVE-2024-50340 Ability to change environment from query in symfony/runtime

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the registerargvargc php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by...

CVE-2024-50341

CVE-2024-50341 affects Symfony’s security-bundle. The custom user_checker on a firewall wasn’t invoked when logging in programmatically via Security::login, enabling unwanted logins. The issue is addressed in Symfony/security-bundle upgrades: versions 6.4.10, 7.0.10 and 7.1.3 now call the configu...

CVE-2024-50342

CVE-2024-50342 concerns Symfony’s http-client NoPrivateNetworkHttpClient leaking host resolution information, enabling possible IP/port enumeration. Affected versions before the fix include 5.4.46, 6.4.14, and 7.1.7. The underlying issue was mitigated by updating NoPrivateNetworkHttpClient to fil...

CVE-2024-50342

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port...

CVE-2024-50342 Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port...

CVE-2024-50343

symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the D...

CVE-2024-50343

CVE-2024-50343 affects the Symfony PHP framework’s validator component (symfony/validator). An input ending with a newline could bypass validation when using regular expressions configured with the $ metacharacter; Symfony versions 5.4.43, 6.4.11, and 7.1.4 now apply the D modifier to ensure the ...

CVE-2024-50343 Incorrect response from Validator when input ends with `\n` in symfony/validator

symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the D...

CVE-2024-50345

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class...

CVE-2024-50345 Open redirect via browser-sanitized URLs in symfony/http-foundation

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class...