Package impact
Packagist / symfony/symfony
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-2403 | critical | 9.8 | 9.8 | 10y ago | Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. | |||
| CVE-2026-45071 | low | — | 2.5 | 17d ago | Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true | |||
| CVE-2026-45072 | low | — | 2.5 | 17d ago | Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering | |||
| CVE-2026-45133 | low | — | 2.5 | 17d ago | Symfony hardened the parser when handling untrusted input | |||
| CVE-2026-45304 | low | — | 2.5 | 17d ago | Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") | |||
| CVE-2026-45305 | low | — | 2.5 | 17d ago | Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex |