SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
May 20, 2026
#Security Advisories
#Symfony
Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection
May 20, 2026
#Security Advisories
#Symfony
Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection
May 20, 2026
#Security Advisories
#Symfony
YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings
May 20, 2026
#Security Advisories
#Symfony
HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
May 20, 2026
#Security Advisories
#Symfony
Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
May 20, 2026
#Security Advisories
#Symfony
Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering
May 20, 2026
#Security Advisories
#Symfony
SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
May 20, 2026
#Security Advisories
#Symfony
Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
May 20, 2026
#Security Advisories
#Symfony
UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
May 20, 2026
#Security Advisories
#Symfony