| CVE-2026-45063 |
high |
— |
8.0 |
|
|
|
17d ago |
Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator |
| CVE-2026-45077 |
high |
— |
8.0 |
|
|
|
17d ago |
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener |
| CVE-2026-45067 |
high |
— |
8.0 |
|
|
|
17d ago |
Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address |
| CVE-2016-4423 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x befo… |
| CVE-2016-1902 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the par… |
| CVE-2015-8125 |
high |
— |
7.5 |
|
|
|
11y ago |
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/… |
| CVE-2013-1397 |
high |
— |
7.5 |
|
|
|
12y ago |
Symfony Arbitrary PHP code Execution |
| CVE-2013-1348 |
high |
— |
7.5 |
|
|
|
12y ago |
Symphony Vulnerable to PHP Code Injection via YAML Parsing |
| CVE-2015-8124 |
medium |
— |
6.8 |
|
|
|
11y ago |
Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a sess… |
| CVE-2015-2308 |
medium |
— |
6.8 |
|
|
|
11y ago |
Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP … |
| CVE-2012-6432 |
medium |
— |
6.8 |
|
|
|
14y ago |
Symfony Access Control Vulnerability |
| CVE-2012-6431 |
medium |
— |
6.4 |
|
|
|
14y ago |
Symfony Allows URI Restrictions Bypass Via Double-Encoded String |
| CVE-2026-45065 |
medium |
— |
5.5 |
|
|
|
17d ago |
Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection |
| CVE-2026-45064 |
medium |
— |
5.5 |
|
|
|
17d ago |
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing |
| CVE-2026-45066 |
medium |
— |
5.5 |
|
|
|
17d ago |
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification |
| CVE-2026-45068 |
medium |
— |
5.5 |
|
|
|
17d ago |
Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address |
| CVE-2026-45069 |
medium |
— |
5.5 |
|
|
|
17d ago |
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims |
| CVE-2026-45070 |
medium |
— |
5.5 |
|
|
|
17d ago |
Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names |
| CVE-2026-45073 |
medium |
— |
5.5 |
|
|
|
17d ago |
Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix |
| CVE-2026-45074 |
medium |
— |
5.5 |
|
|
|
17d ago |
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay |
| CVE-2026-45075 |
medium |
— |
5.5 |
|
|
|
17d ago |
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] |
| CVE-2018-14773 |
medium |
— |
5.5 |
|
|
|
4y ago |
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises … |
| CVE-2013-5958 |
medium |
— |
5.0 |
|
|
|
12y ago |
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a lon… |
| CVE-2015-4050 |
medium |
— |
4.3 |
|
|
|
11y ago |
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if … |
| CVE-2026-45305 |
low |
— |
2.5 |
|
|
|
17d ago |
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex |
| CVE-2026-45072 |
low |
— |
2.5 |
|
|
|
17d ago |
Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering |
| CVE-2026-45071 |
low |
— |
2.5 |
|
|
|
17d ago |
Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true |
| CVE-2026-45133 |
low |
— |
2.5 |
|
|
|
17d ago |
Symfony hardened the parser when handling untrusted input |
| CVE-2026-45304 |
low |
— |
2.5 |
|
|
|
17d ago |
Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") |
