HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and Misclassification
May 20, 2026
#Security Advisories
#Symfony
YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
May 20, 2026
#Security Advisories
#Symfony
SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
May 20, 2026
#Security Advisories
#Symfony
CVE-2026-45071 XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
May 20, 2026
#Security Advisories
#Symfony
Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
May 20, 2026
#Security Advisories
#Symfony
Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
May 20, 2026
#Security Advisories
#Symfony
CVE-2026-47732 Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
May 20, 2026
#Security Advisories
#Twig
`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
May 20, 2026
#Security Advisories
#Twig
Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
May 20, 2026
#Security Advisories
#Twig