SB2026060202 - Debian update for symfony
Published: June 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2024-50340)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input with enabled register_argv_argc PHP directive. A remote attacker can pass specially crafted URL to the application and manipulate current PHP environment.
2) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-45063)
CWE-ID: CWE-290 - Authentication Bypass by Spoofing
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to spoof identities and bypass authentication.
The vulnerability exists due to improper authentication in X509Authenticator when extracting the user identifier from the Subject DN provided in $_SERVER['SSL_CLIENT_S_DN']. A remote user can obtain a certificate with a crafted CN value containing an embedded emailAddress field to spoof identities and bypass authentication.
The issue affects client-certificate authentication flows where the certificate is issued by a trusted CA and the CN field can contain free-text content.
3) Incorrect Regular Expression (CVE-ID: CVE-2026-45065)
CWE-ID: CWE-185 - Incorrect Regular Expression
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to redirect users to an untrusted site.
The vulnerability exists due to incorrect regular expression handling in UrlGenerator when validating route parameter values against regex alternation requirements during URL generation. A remote attacker can supply a crafted parameter value that passes validation and produces a protocol-relative URL to redirect users to an untrusted site.
The issue occurs because anchoring applies only to the first and last alternatives in an ungrouped alternation pattern.
4) CRLF injection (CVE-ID: CVE-2026-45067)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to inject arbitrary email headers or SMTP commands.
The vulnerability exists due to improper neutralization of CRLF sequences in Symfony\Component\Mime\Address when processing a quoted-string email address containing raw line breaks. A remote attacker can supply a specially crafted email address to inject arbitrary email headers or SMTP commands.
The issue affects addresses that are later emitted into rendered message headers or SMTP MAIL FROM and RCPT TO protocol lines.
5) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-45068)
CWE-ID: CWE-88 - Argument Injection or Modification
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to inject command-line arguments.
The vulnerability exists due to improper neutralization of argument delimiters in SendmailTransport when appending recipient addresses to the sendmail command line in -t mode. A local user can supply a recipient address beginning with - to inject command-line arguments.
The issue occurs only when the sendmail transport is used in -t mode.
6) XML External Entity injection (CVE-ID: CVE-2026-45071)
CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose local files.
The vulnerability exists due to improper restriction of xml external entity references in DomCrawler::addXmlContent() when parsing attacker-supplied XML content with validateOnParse enabled. A remote attacker can supply a specially crafted XML document containing a file:// external entity to disclose local files.
The issue occurs because DTD subset processing and external entity resolution are re-enabled, and LIBXML_NONET does not block file:// entity resolution.
7) SQL injection (CVE-ID: CVE-2026-45073)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in PdoAdapter::doClear() when processing a caller-supplied cache key prefix in the non-versioning code path. A remote user can supply a specially crafted prefix value to execute arbitrary SQL commands.
The issue affects the PDO-backed cache adapter's clear($prefix) behavior.
8) Deserialization of Untrusted Data (CVE-ID: CVE-2026-45077)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code or cause a denial of service.
The vulnerability exists due to deserialization of untrusted data in Symfony\Bridge\Monolog\Command\ServerLogCommand when processing messages received by the server:log TCP listener. A remote attacker can send a specially crafted serialized payload to execute arbitrary code or cause a denial of service.
Exploitation requires the server:log command to be running and reachable on TCP port 9911. Code execution is environment-dependent on the presence of usable gadget chains in the target process.
9) Uncontrolled Recursion (CVE-ID: CVE-2026-45133)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in Symfony\Component\Yaml\Parser when parsing attacker-controlled YAML input with deeply nested blocks, sequences, or mappings. A remote attacker can supply a specially crafted YAML document to cause a denial of service.
The issue can exhaust the PHP stack and crash the worker.
10) XML Entity Expansion (CVE-ID: CVE-2026-45304)
CWE-ID: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper restriction of recursive entity references in Symfony\Component\Yaml\Parser when parsing untrusted YAML containing recursive collection aliases. A remote attacker can supply a specially crafted YAML document to cause a denial of service.
A small input can expand into a multi-gigabyte structure and exhaust memory through exponential alias expansion.
11) Inefficient regular expression complexity (CVE-ID: CVE-2026-45305)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in Symfony\Component\Yaml\Parser::cleanup() when parsing crafted YAML input. A remote attacker can supply a specially crafted oversized %YAML directive header, comment line, or document marker line to cause a denial of service.
12) Interpretation Conflict (CVE-ID: CVE-2026-46626)
CWE-ID: CWE-436 - Interpretation Conflict
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify the application environment and debug settings.
The vulnerability exists due to interpretation conflict in SymfonyRuntime::getInput() when processing a crafted query string in a web request with register_argc_argv enabled. A remote attacker can send a specially crafted GET request to modify the application environment and debug settings.
Exploitation requires a web SAPI deployment with register_argc_argv enabled, and the application must be booted through symfony/runtime.
13) Incorrect authorization (CVE-ID: CVE-2026-48489)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to incorrect authorization checks when failure_forward is enabled. A remote attacker can manipulate the _failure_path parameter and gain access to sensitive information on the system.
14) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-48736)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in NoPrivateNetworkHttpClient. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
15) Open redirect (CVE-ID: CVE-2026-48784)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper encoding of chained dot-segments. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
Remediation
Install update from vendor's website.