Identity Spoofing via Unanchored DN Regex in X509Authenticator
May 20, 2026
#Security Advisories
#Symfony
HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite: javascript: URI Survives Sanitization (XSS)
May 20, 2026
#Security Advisories
#Symfony
Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
May 20, 2026
#Security Advisories
#Symfony
Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
May 20, 2026
#Security Advisories
#Symfony
HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
May 20, 2026
#Security Advisories
#Symfony
CVE-2026-47732 Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
May 20, 2026
#Security Advisories
#Twig
Sandbox property and method bypass via object-destructuring assignment
May 20, 2026
#Security Advisories
#Twig
XSS in profiler HtmlDumper via unescaped template and profile names
May 20, 2026
#Security Advisories
#Twig
`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
May 20, 2026
#Security Advisories
#Twig