Skip to content

Symfony Blog

All about Symfony releases, new Symfony features, and other important announcements

Email Header Injection via Non-Token Characters in Mime Parameter Names
Johannes introduces Symfony Mate, an MCP server that exposes a curated, deterministic view of your running Symfony application (container, services, profiler, logs) to any MCP-aware client
May 20, 2026 #Conferences
Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection
Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection
Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection
JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits: ReDoS
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims