Identity Spoofing via Unanchored DN Regex in X509Authenticator
May 20, 2026
#Security Advisories
#Symfony
HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
May 20, 2026
#Security Advisories
#Symfony
OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
May 20, 2026
#Security Advisories
#Symfony
CVE-2026-45071 XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
May 20, 2026
#Security Advisories
#Symfony
Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering
May 20, 2026
#Security Advisories
#Symfony
SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
May 20, 2026
#Security Advisories
#Symfony
Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
May 20, 2026
#Security Advisories
#Symfony
HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
May 20, 2026
#Security Advisories
#Symfony
YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings
May 20, 2026
#Security Advisories
#Symfony
HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite: javascript: URI Survives Sanitization (XSS)
May 20, 2026
#Security Advisories
#Symfony