| CVE-2016-2403 |
critical |
9.8 |
9.8 |
|
|
|
9y ago |
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. |
| CVE-2015-8124 |
medium |
— |
6.8 |
|
|
|
11y ago |
Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a sess… |
| CVE-2015-2308 |
medium |
— |
6.8 |
|
|
|
11y ago |
Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP … |
| CVE-2012-6432 |
medium |
— |
6.8 |
|
|
|
14y ago |
Symfony Access Control Vulnerability |
| CVE-2012-6431 |
medium |
— |
6.4 |
|
|
|
14y ago |
Symfony Allows URI Restrictions Bypass Via Double-Encoded String |
| CVE-2026-45069 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims |
| CVE-2026-45073 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix |
| CVE-2026-45074 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay |
| CVE-2026-45075 |
medium |
— |
5.5 |
|
|
|
15d ago |
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] |
| CVE-2026-45068 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address |
| CVE-2026-45064 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing |
| CVE-2026-45065 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection |
| CVE-2026-45066 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification |
| CVE-2026-45070 |
medium |
— |
5.5 |
|
|
|
15d ago |
Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names |
| CVE-2018-14773 |
medium |
— |
5.5 |
|
|
|
4y ago |
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises … |
| CVE-2013-5958 |
medium |
— |
5.0 |
|
|
|
12y ago |
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a lon… |
| CVE-2015-4050 |
medium |
— |
4.3 |
|
|
|
11y ago |
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if … |
