SB2026052131 - Multiple vulnerabilities in Symfony
Published: May 21, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 23 vulnerabilities.
1) Interpretation Conflict (CVE-ID: CVE-2026-46626)
CWE-ID: CWE-436 - Interpretation Conflict
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify the application environment and debug settings.
The vulnerability exists due to interpretation conflict in SymfonyRuntime::getInput() when processing a crafted query string in a web request with register_argc_argv enabled. A remote attacker can send a specially crafted GET request to modify the application environment and debug settings.
Exploitation requires a web SAPI deployment with register_argc_argv enabled, and the application must be booted through symfony/runtime.
2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-47212)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject forged webhook events.
The vulnerability exists due to improper verification of cryptographic signature in the TwilioRequestParser webhook request parser when handling webhook POST requests. A remote attacker can send a specially crafted request to inject forged webhook events.
This affects applications that expose the Twilio webhook endpoint and have a signing secret configured, because the parser ignores the X-Twilio-Signature header and accepts arbitrary status payloads.
3) Inefficient regular expression complexity (CVE-ID: CVE-2026-45756)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in the JsonPath match() and search() filter functions when evaluating an attacker-influenced JSONPath expression against non-trivial JSON input. A remote attacker can supply a specially crafted JSONPath expression containing a catastrophic-backtracking pattern to cause a denial of service.
The issue occurs when server-side code passes attacker-controlled JSONPath input to JsonCrawler for evaluation.
4) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-45755)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject forged webhook events.
The vulnerability exists due to improper verification of cryptographic signature in MailtrapRequestParser::doParse() when handling webhook POST requests. A remote attacker can send a specially crafted request to inject forged webhook events.
An application that exposes the webhook endpoint and has a signing secret configured will still accept unsigned or forged event payloads.
5) Missing Authentication for Critical Function (CVE-ID: CVE-2026-45754)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject forged webhook events.
The vulnerability exists due to missing authentication in MailjetRequestParser::doParse() when handling webhook POST requests. A remote attacker can send a specially crafted request to inject forged webhook events.
Only applications that expose the webhook endpoint and rely on a configured webhook secret for authentication are affected.
6) Cross-site scripting (CVE-ID: CVE-2026-45753)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to incomplete neutralization of dangerous URL schemes in UrlAttributeSanitizer when sanitizing untrusted HTML with allowed action, formaction, poster, or cite attributes. A remote attacker can supply specially crafted HTML containing a javascript: URI to execute arbitrary script in the victim's browser.
User interaction is required in the action and formaction cases because the victim must submit the form or click the button, and exploitation requires a deliberately permissive sanitizer configuration that allows the affected attributes.
7) Inefficient regular expression complexity (CVE-ID: CVE-2026-45305)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in Symfony\Component\Yaml\Parser::cleanup() when parsing crafted YAML input. A remote attacker can supply a specially crafted oversized %YAML directive header, comment line, or document marker line to cause a denial of service.
8) XML Entity Expansion (CVE-ID: CVE-2026-45304)
CWE-ID: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper restriction of recursive entity references in Symfony\Component\Yaml\Parser when parsing untrusted YAML containing recursive collection aliases. A remote attacker can supply a specially crafted YAML document to cause a denial of service.
A small input can expand into a multi-gigabyte structure and exhaust memory through exponential alias expansion.
9) Deserialization of Untrusted Data (CVE-ID: CVE-2026-45077)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code or cause a denial of service.
The vulnerability exists due to deserialization of untrusted data in Symfony\Bridge\Monolog\Command\ServerLogCommand when processing messages received by the server:log TCP listener. A remote attacker can send a specially crafted serialized payload to execute arbitrary code or cause a denial of service.
Exploitation requires the server:log command to be running and reachable on TCP port 9911. Code execution is environment-dependent on the presence of usable gadget chains in the target process.
10) CRLF injection (CVE-ID: CVE-2026-45070)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary email headers.
The vulnerability exists due to improper neutralization of CRLF sequences in ParameterizedHeader parameter name handling when serializing structured email headers with user-controlled parameter names. A remote attacker can supply a crafted parameter name containing CRLF characters to inject arbitrary email headers.
The issue affects parameter names in structured headers such as Content-Type and Content-Disposition.
11) Spoofing attack (CVE-ID: CVE-2026-45064)
CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to spoof the visual destination of a link.
The vulnerability exists due to user interface misrepresentation of critical information in Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse() when sanitizing URLs for href or src attributes. A remote attacker can supply a crafted URL containing bidirectional override characters to spoof the visual destination of a link.
When rendered in a browser, Unicode explicit-direction BiDi formatting characters can alter the visual ordering of the displayed URL text, causing sanitized content to present a link that appears different from its actual destination.
12) SQL injection (CVE-ID: CVE-2026-45073)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in PdoAdapter::doClear() when processing a caller-supplied cache key prefix in the non-versioning code path. A remote user can supply a specially crafted prefix value to execute arbitrary SQL commands.
The issue affects the PDO-backed cache adapter's clear($prefix) behavior.
13) XML External Entity injection (CVE-ID: CVE-2026-45071)
CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose local files.
The vulnerability exists due to improper restriction of xml external entity references in DomCrawler::addXmlContent() when parsing attacker-supplied XML content with validateOnParse enabled. A remote attacker can supply a specially crafted XML document containing a file:// external entity to disclose local files.
The issue occurs because DTD subset processing and external entity resolution are re-enabled, and LIBXML_NONET does not block file:// entity resolution.
14) Incorrect Regular Expression (CVE-ID: CVE-2026-45065)
CWE-ID: CWE-185 - Incorrect Regular Expression
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to redirect users to an untrusted site.
The vulnerability exists due to incorrect regular expression handling in UrlGenerator when validating route parameter values against regex alternation requirements during URL generation. A remote attacker can supply a crafted parameter value that passes validation and produces a protocol-relative URL to redirect users to an untrusted site.
The issue occurs because anchoring applies only to the first and last alternatives in an ungrouped alternation pattern.
15) Incorrect authorization (CVE-ID: CVE-2026-45075)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks and trigger unintended controller actions.
The vulnerability exists due to improper access control in #[IsGranted], #[IsSignatureValid], and #[IsCsrfTokenValid] attribute method filtering when handling HEAD requests for controllers restricted to GET. A remote attacker can send a HEAD request to bypass authorization checks and trigger unintended controller actions.
Although the response body is not returned for HEAD requests, response headers may still be disclosed and controller side effects may still occur.
16) Cross-site scripting (CVE-ID: CVE-2026-45072)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script code in a developer's browser.
The vulnerability exists due to cross-site scripting in the Twig file_excerpt filter used by the Web Profiler when rendering non-PHP files. A remote user can write crafted content into a file under the project root to execute arbitrary script code in a developer's browser.
The issue affects the development-only profiler interface and is triggered when a developer later opens the crafted file in the profiler.
17) Interpretation Conflict (CVE-ID: CVE-2026-45066)
CWE-ID: CWE-436 - Interpretation Conflict
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass URL allowlist restrictions.
The vulnerability exists due to interpretation conflict in UrlSanitizer::parse() when parsing crafted URLs with backslashes or abnormal slash counts after special schemes. A remote attacker can supply a specially crafted URL to bypass URL allowlist restrictions.
The issue arises from differences between RFC-3986 parsing on the server side and WHATWG URL parsing in browsers.
18) CRLF injection (CVE-ID: CVE-2026-45067)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to inject arbitrary email headers or SMTP commands.
The vulnerability exists due to improper neutralization of CRLF sequences in Symfony\Component\Mime\Address when processing a quoted-string email address containing raw line breaks. A remote attacker can supply a specially crafted email address to inject arbitrary email headers or SMTP commands.
The issue affects addresses that are later emitted into rendered message headers or SMTP MAIL FROM and RCPT TO protocol lines.
19) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-45063)
CWE-ID: CWE-290 - Authentication Bypass by Spoofing
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to spoof identities and bypass authentication.
The vulnerability exists due to improper authentication in X509Authenticator when extracting the user identifier from the Subject DN provided in $_SERVER['SSL_CLIENT_S_DN']. A remote user can obtain a certificate with a crafted CN value containing an embedded emailAddress field to spoof identities and bypass authentication.
The issue affects client-certificate authentication flows where the certificate is issued by a trusted CA and the CN field can contain free-text content.
20) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-45068)
CWE-ID: CWE-88 - Argument Injection or Modification
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to inject command-line arguments.
The vulnerability exists due to improper neutralization of argument delimiters in SendmailTransport when appending recipient addresses to the sendmail command line in -t mode. A local user can supply a recipient address beginning with - to inject command-line arguments.
The issue occurs only when the sendmail transport is used in -t mode.
21) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-45074)
CWE-ID: CWE-290 - Authentication Bypass by Spoofing
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass authentication.
The vulnerability exists due to authentication bypass by spoofing in Cas2Handler when deriving the CAS service parameter from an attacker-controlled Host header during ticket validation. A remote user can replay a victim's CAS ticket with a spoofed Host header to bypass authentication.
Exploitation requires control of another application registered with the same CAS server.
22) Insufficient verification of data authenticity (CVE-ID: CVE-2026-45069)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass JWT claim validation.
The vulnerability exists due to insufficient verification of data authenticity in OidcTokenHandler::verifyClaims() when processing a validly signed bearer JWT missing required claims. A remote attacker can supply a validly signed JWT that omits the aud, iss, and exp claims to bypass JWT claim validation.
23) Uncontrolled Recursion (CVE-ID: CVE-2026-45133)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in Symfony\Component\Yaml\Parser when parsing attacker-controlled YAML input with deeply nested blocks, sequences, or mappings. A remote attacker can supply a specially crafted YAML document to cause a denial of service.
The issue can exhaust the PHP stack and crash the worker.
Remediation
Install update from vendor's website.
References
- https://github.com/symfony/symfony/security/advisories/GHSA-fqc7-9xjw-jrh3
- https://github.com/symfony/symfony/commit/3228c3806ee511008bea19a95084d460b17e5d25
- https://github.com/symfony/symfony/security/advisories/GHSA-55rj-x2vc-4whq
- https://github.com/symfony/symfony/commit/8545fb2af6c07dfb5ef0fc8d9bccf86db2c94356
- https://github.com/symfony/symfony/security/advisories/GHSA-8v8v-g73j-492j
- https://github.com/symfony/symfony/commit/1ac2d47418ec23066112db1e6ca35be6fe123d14
- https://github.com/symfony/symfony/security/advisories/GHSA-59f3-vp2f-mp9w
- https://github.com/symfony/symfony/commit/4e0467e4e182cf2e704a3d9e1bc1a6be65d52ab8
- https://github.com/symfony/symfony/security/advisories/GHSA-64hg-93w9-fc35
- https://github.com/symfony/symfony/commit/3e52bf5ab733ee32e35eeeeb2631d859c941838e
- https://github.com/symfony/symfony/security/advisories/GHSA-hhg7-c65m-h7ff
- https://github.com/symfony/symfony/security/advisories/GHSA-xxxx-xxxx-xxxx
- https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m
- https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb
- https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4
- https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a
- https://github.com/symfony/symfony/security/advisories/GHSA-m7v2-7gxm-vc2v
- https://github.com/symfony/symfony/commit/0891b2f293896c488e26943dc034334364b77fc4
- https://github.com/symfony/symfony/security/advisories/GHSA-vqc8-7275-q272
- https://github.com/symfony/symfony/commit/e62ea217f8b4ca8ae922ad0f949e0c4dc1f9b613
- https://github.com/symfony/symfony/security/advisories/GHSA-h5vq-qfcg-4m6p
- https://github.com/symfony/symfony/commit/743a435e948b897ef2b5564ac438d4beb95d2526
- https://github.com/symfony/symfony/security/advisories/GHSA-6qh9-h6wf-jgqc
- https://github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w
- https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d
- https://github.com/symfony/symfony/security/advisories/GHSA-72xp-p242-47p9
- https://github.com/symfony/symfony/commit/bcf487c22f3240ba994124e0e0fe8616f3cfc47a
- https://github.com/symfony/symfony/security/advisories/GHSA-6439-2f28-8p8q
- https://github.com/symfony/symfony/commit/cfcd1b53e32c9baf1ad6de7e73f7b9bc9d86cb6e
- https://github.com/symfony/symfony/security/advisories/GHSA-hmr5-2xcr-v8pp
- https://github.com/symfony/symfony/commit/863aa81c61166f1aa74b7732df316f76113acbdb
- https://github.com/symfony/symfony/security/advisories/GHSA-qc95-4862-92fh
- https://github.com/symfony/symfony/commit/d506b556d3d3906f3e8660ad82257ce87edbaac4
- https://github.com/symfony/symfony/security/advisories/GHSA-qpmx-3rfj-7rhv
- https://github.com/symfony/symfony/commit/dc2dbd29211eb4ddc451373fa1374fb926e94604
- https://github.com/symfony/symfony/security/advisories/GHSA-ph86-p8f6-f9r2
- https://github.com/symfony/symfony/commit/ccb3f724c7ff55670a6fe3521c7bf1514cceb478
- https://github.com/symfony/symfony/security/advisories/GHSA-xx3c-qf5g-hc39
- https://github.com/symfony/symfony/commit/c45144862dc289d03952f41f6078174089a3afc6
- https://github.com/symfony/symfony/security/advisories/GHSA-j8gj-9rm5-4xhx
- https://github.com/symfony/symfony/commit/5ba145dba702404801bdf9e7e8d6df170060d541
- https://github.com/symfony/symfony/security/advisories/GHSA-29fc-p6c4-24cg
- https://github.com/symfony/symfony/commit/6b717aaac21b7e96798448d14c4355ea87690b3d
- https://github.com/symfony/symfony/security/advisories/GHSA-c2p3-7m5p-cv8x
- https://github.com/symfony/symfony/commit/914f427ed9630ddb3904dafba763e53d9f133fe3