Main Vulnerability Database SB2026012851

SB2026012851 - Arbitrary code execution in Symfony on Windows

Published: January 28, 2026

Security Bulletin ID SB2026012851

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper neutralization of argument delimiters in a command (CVE-ID: CVE-2026-24739)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when executing PHP from a MSYS2-based environment (e.g. Git Bash). If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. rmdir, del, etc.) with a path argument containing =, the MSYS2 conversion layer may alter the argument at runtime. A remote attacker can trick the victim into passing specially crafted input to the application and execute dangerous commands on the system.

The vulnerability affects Windows installations only.

Remediation

Install update from vendor's website.

References

https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6