symfony/symfony vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-45066Mediumsymfony/html-sanitizer: Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> MisclassificationCVE-2026-45064Mediumsymfony/html-sanitizer: Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href SpoofingCVE-2026-45065Mediumsymfony/routing: Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL InjectionCVE-2026-45063Highsymfony/security-http: Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509AuthenticatorCVE-2026-24739Mediumsymfony/process: Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on WindowsCVE-2025-64500Highsymfony/http-foundation: Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypassCVE-2024-51736Highsymfony/process: Symfony vulnerable to command execution hijack on Windows with Process classCVE-2024-50343Lowsymfony/symfony: Symfony has an incorrect response from Validator when input ends with `\n`CVE-2024-50342Lowsymfony/http-client: Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClientCVE-2024-50341Lowsymfony/security-bundle: Symfony's `Security::login` does not take into account custom `user_checker`CVE-2024-50340Mediumsymfony/runtime: Symfony allows changing the environment through a queryCVE-2014-6072Highsymfony/symfony: Symfony Cross-Site Request Forgery vulnerability in the Web ProfilerGHSA-HX53-JCHX-CR52Mediumsymfony/symfony: Symfony2 improper IP based access controlGHSA-Q2GC-GG3X-7942Highsymfony/symfony: Symfony XML Entity Expansion security vulnerabilityGHSA-MMCV-FVQ8-R9X3Criticalsymfony/symfony: Symfony XML decoding attack vector through external entitiesGHSA-7MX2-7Q8P-PGMWMediumsymfony/symfony: Symfony may allow a user to switch to using another user's identityCVE-2014-5245Highsymfony/http-kernel: Symfony allows direct access of ESI URLs behind a trusted proxyCVE-2015-2309Mediumsymfony/http-foundation: Symfony has unsafe methods in the Request classCVE-2014-6061Mediumsymfony/http-foundation: Symfony has a security issue when parsing the Authorization headerCVE-2014-5244Highsymfony/http-foundation: Symfony vulnerable to denial of service via a malicious HTTP Host headerGHSA-VFM6-R2GC-PWWWMediumsymfony/http-foundation: Symfony2 security issue when the trust proxy mode is enabledCVE-2014-4931Highsymfony/framework-bundle: Code injection in the way Symfony implements translation caching in FrameworkBundleCVE-2023-46735Mediumsymfony/webhook: Symfony potential Cross-site Scripting in WebhookControllerCVE-2023-46734Mediumsymfony/twig-bridge: Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filtersCVE-2023-46733Mediumsymfony/security-http: Symfony possible session fixation vulnerability

Stop the waste.
Protect your environment with Kodem.