CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

153 matches found

Debian dsa-6317 : php-symfony - security update

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6317 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6317-1 [email protected] https://www.debian.org/securit...

7.3CVSS6.2AI score0.88664EPSS

Exploits0References32

Debian•added 3 days ago•7 views

[SECURITY] [DSA 6312-1] symfony security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6312-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 31, 2026 https://www.debian.org/security/faq -...

7.3CVSS7.4AI score0.88664EPSS

Exploits0

Snyk•added 2026/05/27 9:41 a.m.•5 views

Server-side Request Forgery (SSRF)

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF. The NoPrivateNetworkHttpClient is designed to be a security boundary that blocks requests to private/interna...

8.8CVSS5.8AI score

Exploits0References2

Snyk•added 2026/05/27 9:41 a.m.•7 views

Authentication Bypass Using an Alternate Path or Channel

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via failureforward Subrequest. An attacker could manipulate the failurepath parameter...

6.9CVSS5.8AI score

Exploits0References2

Snyk•added 2026/05/27 9:41 a.m.•4 views

Improper Verification of Cryptographic Signature

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the webhook request parser. The validateSignature method extracts the...

9.1CVSS5.8AI score

Exploits0References2

Snyk•added 2026/05/27 9:41 a.m.•5 views

Improper Encoding or Escaping of Output

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the HtmlSanitizer component that fails to properly detect and strip percent-encoded BiDi...

5.3CVSS5.8AI score

Exploits0References2

Snyk•added 2026/05/20 3:35 p.m.•4 views

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the Parser::cleanup function. Symfony\Component\Yaml\Parser::cleanup strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The origina...

6.9CVSS5.8AI score

Exploits0References2

Snyk•added 2026/05/20 3:35 p.m.•5 views

Cross-site Scripting (XSS)

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the CodeExtension::fileExcerpt function in WebProfiler. An attacker can execute arbitrary JavaScript code in the...

5.4CVSS5.8AI score

Exploits0References2

Snyk•added 2026/05/20 3:35 p.m.•6 views

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Overview Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs 'XML Entity Expansion' via Recursive Collection-Alias Expansion "Billion Laughs". Symfony\Component\Yaml\Parser resolves YAML aliases anchor during parsing. Aliases that...

6.9CVSS5.8AI score

Exploits0References2

Friends Of PHP•added 2026/05/20 8:0 a.m.•4 views

CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]

More info at https://symfony.com/cve-2026-45075...

5.8AI score

Exploits0Affected Software1

CNNVD•added 2026/01/28 12:0 a.m.•1 views

Symfony parameter injection vulnerability

Symfony is a PHP framework developed by Symfony Inc. for web and console applications, along with a set of reusable PHP components. Symfony has a parameter injection vulnerability, which arises from the Process component improperly handling special characters when escaping parameters on Windows,...

6.3CVSS5.8AI score0.00012EPSS

Exploits1References5

CVE•added 2025/11/12 9:40 p.m.•524 views

CVE-2025-64500

Affected component: Symfony HttpFoundation (Symfony PHP framework). Vulnerability: The Request class improperly interprets some PATH_INFO, allowing representation of URLs without a leading slash and potentially bypassing access-control rules that assume a leading “/”. Versions and root cause: Pri...

7.3CVSS6.1AI score0.06307EPSS

Exploits0References5Affected Software2

Debian CVE•added 2025/11/12 9:40 p.m.•5 views

CVE-2025-64500

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly...

7.3CVSS7.3AI score0.06307EPSS

Exploits0

Cvelist•added 2025/11/12 9:40 p.m.•9 views

CVE-2025-64500 Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass

7.3CVSS0.06307EPSS

Exploits0References5

Positive Technologies•added 2025/11/12 12:0 a.m.•2 views

PT-2025-46712

Name of the Vulnerable Software and Affected Versions Symfony versions 2.0.0 through 5.4.49 Symfony versions 6.0.0 through 6.4.28 Symfony versions 7.0.0 through 7.3.6 Description Symfony’s HttpFoundation component’s Request class incorrectly parses the PATH INFO value. This can result in URLs bei...

7.5CVSS6.6AI score0.06307EPSS

Exploits0References38