| CVE-2016-2403 |
critical |
9.8 |
9.8 |
|
|
|
9y ago |
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. |
| CVE-2026-45063 |
high |
— |
8.0 |
|
|
|
15d ago |
Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator |
| CVE-2026-45067 |
high |
— |
8.0 |
|
|
|
15d ago |
Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address |
| CVE-2026-45077 |
high |
— |
8.0 |
|
|
|
15d ago |
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener |
| CVE-2016-4423 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x befo… |
| CVE-2016-1902 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the par… |
| CVE-2015-8125 |
high |
— |
7.5 |
|
|
|
11y ago |
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/… |
| CVE-2013-1397 |
high |
— |
7.5 |
|
|
|
12y ago |
Symfony Arbitrary PHP code Execution |
| CVE-2013-1348 |
high |
— |
7.5 |
|
|
|
12y ago |
Symphony Vulnerable to PHP Code Injection via YAML Parsing |
| CVE-2015-8124 |
medium |
— |
6.8 |
|
|
|
11y ago |
Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a sess… |
| CVE-2015-2308 |
medium |
— |
6.8 |
|
|
|
11y ago |
Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP … |
| CVE-2012-6432 |
medium |
— |
6.8 |
|
|
|
14y ago |
Symfony Access Control Vulnerability |
| CVE-2012-6431 |
medium |
— |
6.4 |
|
|
|
14y ago |
Symfony Allows URI Restrictions Bypass Via Double-Encoded String |
| CVE-2026-45075 |
medium |
— |
5.5 |
|
|
|
15d ago |
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] |
| CVE-2026-45070 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names |
| CVE-2026-45073 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix |
| CVE-2026-45074 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay |
| CVE-2026-45065 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection |
| CVE-2026-45066 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification |
| CVE-2026-45064 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing |
| CVE-2026-45068 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address |
| CVE-2026-45069 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims |
| CVE-2018-14773 |
medium |
— |
5.5 |
|
|
|
4y ago |
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises … |
| CVE-2013-5958 |
medium |
— |
5.0 |
|
|
|
12y ago |
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a lon… |
| CVE-2015-4050 |
medium |
— |
4.3 |
|
|
|
11y ago |
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if … |
| CVE-2026-45071 |
low |
— |
2.5 |
|
|
|
15d ago |
Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true |
| CVE-2026-45305 |
low |
— |
2.5 |
|
|
|
15d ago |
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex |
| CVE-2026-45304 |
low |
— |
2.5 |
|
|
|
15d ago |
Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") |
| CVE-2026-45133 |
low |
— |
2.5 |
|
|
|
15d ago |
Symfony hardened the parser when handling untrusted input |
| CVE-2026-45072 |
low |
— |
2.5 |
|
|
|
15d ago |
Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering |
| CVE-2026-48784 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization |
| CVE-2026-48747 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade |
| CVE-2026-48760 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense |
| CVE-2026-48761 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content |
| CVE-2026-48489 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes |
| CVE-2026-48736 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient |
| CVE-2026-45754 |
unknown |
— |
— |
|
|
|
15d ago |
Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection |
| CVE-2026-45755 |
unknown |
— |
— |
|
|
|
15d ago |
Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection |
| CVE-2026-45756 |
unknown |
— |
— |
|
|
|
15d ago |
Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS |
| CVE-2026-47212 |
unknown |
— |
— |
|
|
|
15d ago |
Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification |
| CVE-2026-45753 |
unknown |
— |
— |
|
|
|
15d ago |
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS) |
| CVE-2026-46626 |
unknown |
— |
— |
|
|
|
15d ago |
CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch |
| CVE-2026-24739 |
unknown |
— |
— |
|
|
|
4mo ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not cor… |
| CVE-2025-64500 |
unknown |
— |
— |
|
|
|
7mo ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Start… |
| CVE-2024-51736 |
unknown |
— |
— |
|
|
|
2y ago |
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory i… |
| CVE-2024-50343 |
unknown |
— |
— |
|
|
|
2y ago |
symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metachar… |
| CVE-2024-50342 |
unknown |
— |
— |
|
|
|
2y ago |
symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, so… |
| CVE-2024-50341 |
unknown |
— |
— |
|
|
|
2y ago |
symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` define… |
| CVE-2024-50340 |
unknown |
— |
— |
|
|
|
2y ago |
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any… |
| CVE-2014-6072 |
unknown |
— |
— |
|
|
|
2y ago |
Symfony Cross-Site Request Forgery vulnerability in the Web Profiler |
| CVE-2014-5245 |
unknown |
— |
— |
|
|
|
2y ago |
Symfony allows direct access of ESI URLs behind a trusted proxy |
| CVE-2015-2309 |
unknown |
— |
— |
|
|
|
2y ago |
Symfony has unsafe methods in the Request class |
| CVE-2014-6061 |
unknown |
— |
— |
|
|
|
2y ago |
Symfony has a security issue when parsing the Authorization header |
| CVE-2014-5244 |
unknown |
— |
— |
|
|
|
2y ago |
Symfony vulnerable to denial of service via a malicious HTTP Host header |
| CVE-2014-4931 |
unknown |
— |
— |
|
|
|
2y ago |
Code injection in the way Symfony implements translation caching in FrameworkBundle |
| CVE-2023-46735 |
unknown |
— |
— |
|
|
|
3y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` return… |
| CVE-2023-46734 |
unknown |
— |
— |
|
|
|
3y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Tw… |
| CVE-2023-46733 |
unknown |
— |
— |
|
|
|
3y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListene… |
| CVE-2022-24894 |
unknown |
— |
— |
|
|
|
3y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers… |
| CVE-2022-24895 |
unknown |
— |
— |
|
|
|
3y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the… |
| CVE-2017-11365 |
unknown |
— |
— |
|
|
|
4y ago |
Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The compo… |
| CVE-2018-11407 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by l… |
| CVE-2017-16790 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST … |
| CVE-2018-14774 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using Http… |
| CVE-2018-11385 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerabil… |
| CVE-2017-16652 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler t… |
| CVE-2017-16654 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the … |
| CVE-2018-11408 |
unknown |
— |
— |
|
|
|
4y ago |
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnera… |
| CVE-2018-11386 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler c… |
| CVE-2018-11406 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session … |
| CVE-2018-19790 |
unknown |
— |
— |
|
|
|
4y ago |
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_f… |
| CVE-2018-19789 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `strin… |
| CVE-2017-16653 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different token… |
| CVE-2013-4752 |
unknown |
— |
— |
|
|
|
4y ago |
Symfony Host Header Injection vulnerability in the HttpFoundation component |
| CVE-2013-4751 |
unknown |
— |
— |
|
|
|
4y ago |
Symfony collectionCascaded and collectionCascadedDeeply fields security bypass |
| CVE-2019-18887 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/h… |
| CVE-2021-41270 |
unknown |
— |
— |
|
|
|
5y ago |
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 bef… |
| CVE-2021-41268 |
unknown |
— |
— |
|
|
|
5y ago |
Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version… |
| CVE-2021-41267 |
unknown |
— |
— |
|
|
|
5y ago |
Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers"… |
| CVE-2021-32693 |
unknown |
— |
— |
|
|
|
5y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prio… |
| CVE-2021-21424 |
unknown |
— |
— |
|
|
|
5y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling de… |
| CVE-2020-15094 |
unknown |
— |
— |
|
|
|
6y ago |
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X… |
| CVE-2020-5275 |
unknown |
— |
— |
|
|
|
6y ago |
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides … |
| CVE-2020-5274 |
unknown |
— |
— |
|
|
|
6y ago |
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even … |
| CVE-2020-5255 |
unknown |
— |
— |
|
|
|
6y ago |
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the r… |
| CVE-2019-10911 |
unknown |
— |
— |
|
|
|
6y ago |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with… |
| CVE-2019-10912 |
unknown |
— |
— |
|
|
|
6y ago |
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this coul… |
| CVE-2019-11325 |
unknown |
— |
— |
|
|
|
6y ago |
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrar… |
| CVE-2019-10913 |
unknown |
— |
— |
|
|
|
7y ago |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted inpu… |
| CVE-2019-18886 |
unknown |
— |
— |
|
|
|
7y ago |
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthor… |
| CVE-2019-18888 |
unknown |
— |
— |
|
|
|
7y ago |
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIM… |
| CVE-2019-18889 |
unknown |
— |
— |
|
|
|
7y ago |
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is rel… |
| CVE-2019-10910 |
unknown |
— |
— |
|
|
|
7y ago |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code exec… |
| CVE-2019-10909 |
unknown |
— |
— |
|
|
|
7y ago |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. Th… |
