Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection

Description Symfony routes can declare a requirements regex per path parameter, e.g. a route /locale/blog with requirements: locale: 'en|fr|de' . The Twig path / url helpers backed by UrlGenerator validate supplied parameter values against that regex before building the URL. UrlGenerator construc...

Malicious code in paypal-url-generator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware eee5e504dfd1a8b2c6e07c8e238a743be5b370d288b12b38eb37e16d82051ae9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-2890 Malicious code in paypal-url-generator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware eee5e504dfd1a8b2c6e07c8e238a743be5b370d288b12b38eb37e16d82051ae9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in signup-ui-url-generator (npm)

--- -= Per source details. Do not edit below this line.=-...

CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization

More info at https://symfony.com/cve-2026-48784...