symfony/symfony vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-48784Mediumsymfony/routing: Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986…CVE-2026-48760Mediumsymfony/html-sanitizer: Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing…CVE-2026-48747Mediumsymfony/mailomat-mailer: Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm DowngradeCVE-2026-48736Mediumsymfony/http-client: Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in…CVE-2026-48489Highsymfony/security-http: Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET RoutesCVE-2026-48761Mediumsymfony/html-sanitizer: Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL AttributesCVE-2026-47767Mediumsymfony/runtime: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv MismatchCVE-2026-47212Mediumsymfony/symfony: Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verificationCVE-2026-45756Lowsymfony/json-path: Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoSCVE-2026-45755Mediumsymfony/mailtrap-mailer: Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event InjectionCVE-2026-45754Mediumsymfony/lox24-notifier: Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event InjectionCVE-2026-45753Lowsymfony/html-sanitizer: Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)CVE-2026-45305Lowsymfony/yaml: Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() RegexCVE-2026-45304Lowsymfony/yaml: Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")CVE-2026-45133Lowsymfony/yaml: Symfony hardened the parser when handling untrusted inputCVE-2026-45077Highsymfony/monolog-bridge: Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log ListenerCVE-2026-45075Highsymfony/http-kernel: Symfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]CVE-2026-45074Mediumsymfony/security-http: Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket ReplayCVE-2026-45073Mediumsymfony/cache: Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefixCVE-2026-45072Lowsymfony/symfony: Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File RenderingCVE-2026-45071Lowsymfony/dom-crawler: Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = trueCVE-2026-45070Mediumsymfony/mime: Symfony has Email Header Injection via Non-Token Characters in Mime Parameter NamesCVE-2026-45069Mediumsymfony/security-http: Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp ClaimsCVE-2026-45068Mediumsymfony/mailer: Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient AddressCVE-2026-45067Highsymfony/mime: Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address

Stop the waste.
Protect your environment with Kodem.