| CVE-2026-45305 |
low |
— |
2.5 |
|
|
|
15d ago |
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex |
| CVE-2026-45072 |
low |
— |
2.5 |
|
|
|
15d ago |
Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering |
| CVE-2026-45071 |
low |
— |
2.5 |
|
|
|
15d ago |
Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true |
| CVE-2026-45133 |
low |
— |
2.5 |
|
|
|
15d ago |
Symfony hardened the parser when handling untrusted input |
| CVE-2026-45304 |
low |
— |
2.5 |
|
|
|
15d ago |
Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") |
| CVE-2026-48747 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade |
| CVE-2026-48784 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization |
| CVE-2026-48489 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes |
| CVE-2026-48736 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient |
| CVE-2026-48761 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content |
| CVE-2026-48760 |
unknown |
— |
— |
|
|
|
9d ago |
CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense |
| CVE-2026-46626 |
unknown |
— |
— |
|
|
|
15d ago |
CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch |
| CVE-2026-45756 |
unknown |
— |
— |
|
|
|
15d ago |
Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS |
| CVE-2026-45753 |
unknown |
— |
— |
|
|
|
15d ago |
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS) |
| CVE-2026-47212 |
unknown |
— |
— |
|
|
|
15d ago |
Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification |
| CVE-2026-45754 |
unknown |
— |
— |
|
|
|
15d ago |
Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection |
| CVE-2026-45755 |
unknown |
— |
— |
|
|
|
15d ago |
Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection |
| CVE-2026-24739 |
unknown |
— |
— |
|
|
|
4mo ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not cor… |
| CVE-2025-64500 |
unknown |
— |
— |
|
|
|
7mo ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Start… |
| CVE-2024-51736 |
unknown |
— |
— |
|
|
|
2y ago |
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory i… |
| CVE-2024-50343 |
unknown |
— |
— |
|
|
|
2y ago |
symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metachar… |
| CVE-2024-50342 |
unknown |
— |
— |
|
|
|
2y ago |
symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, so… |
| CVE-2024-50341 |
unknown |
— |
— |
|
|
|
2y ago |
symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` define… |
| CVE-2024-50340 |
unknown |
— |
— |
|
|
|
2y ago |
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any… |
| CVE-2015-2309 |
unknown |
— |
— |
|
|
|
2y ago |
Symfony has unsafe methods in the Request class |
| CVE-2023-46735 |
unknown |
— |
— |
|
|
|
3y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` return… |
| CVE-2023-46734 |
unknown |
— |
— |
|
|
|
3y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Tw… |
| CVE-2023-46733 |
unknown |
— |
— |
|
|
|
3y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListene… |
| CVE-2022-24894 |
unknown |
— |
— |
|
|
|
3y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers… |
| CVE-2022-24895 |
unknown |
— |
— |
|
|
|
3y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the… |
| CVE-2017-11365 |
unknown |
— |
— |
|
|
|
4y ago |
Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The compo… |
| CVE-2018-11407 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by l… |
| CVE-2017-16790 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST … |
| CVE-2018-14774 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using Http… |
| CVE-2018-11385 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerabil… |
| CVE-2017-16652 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler t… |
| CVE-2017-16654 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the … |
| CVE-2018-11408 |
unknown |
— |
— |
|
|
|
4y ago |
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnera… |
| CVE-2018-11386 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler c… |
| CVE-2018-11406 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session … |
| CVE-2018-19789 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `strin… |
| CVE-2018-19790 |
unknown |
— |
— |
|
|
|
4y ago |
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_f… |
| CVE-2017-16653 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different token… |
| CVE-2019-18887 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/h… |
| CVE-2021-41270 |
unknown |
— |
— |
|
|
|
5y ago |
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 bef… |
| CVE-2021-41268 |
unknown |
— |
— |
|
|
|
5y ago |
Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version… |
| CVE-2021-41267 |
unknown |
— |
— |
|
|
|
5y ago |
Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers"… |
| CVE-2021-32693 |
unknown |
— |
— |
|
|
|
5y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prio… |
| CVE-2021-21424 |
unknown |
— |
— |
|
|
|
5y ago |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling de… |
| CVE-2020-15094 |
unknown |
— |
— |
|
|
|
6y ago |
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X… |
| CVE-2020-5275 |
unknown |
— |
— |
|
|
|
6y ago |
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides … |
| CVE-2020-5274 |
unknown |
— |
— |
|
|
|
6y ago |
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even … |
| CVE-2020-5255 |
unknown |
— |
— |
|
|
|
6y ago |
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the r… |
| CVE-2019-10911 |
unknown |
— |
— |
|
|
|
6y ago |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with… |
| CVE-2019-10912 |
unknown |
— |
— |
|
|
|
6y ago |
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this coul… |
| CVE-2019-11325 |
unknown |
— |
— |
|
|
|
6y ago |
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrar… |
| CVE-2019-10913 |
unknown |
— |
— |
|
|
|
7y ago |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted inpu… |
| CVE-2019-18886 |
unknown |
— |
— |
|
|
|
7y ago |
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthor… |
| CVE-2019-18888 |
unknown |
— |
— |
|
|
|
7y ago |
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIM… |
| CVE-2019-18889 |
unknown |
— |
— |
|
|
|
7y ago |
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is rel… |
| CVE-2019-10910 |
unknown |
— |
— |
|
|
|
7y ago |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code exec… |
| CVE-2019-10909 |
unknown |
— |
— |
|
|
|
7y ago |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. Th… |
