May 18–24, 2026 A Week of Symfony #1012

This week, Symfony released 36 security advisories and published security releases 5.4.52, 6.4.40, 7.4.12, 8.0.12, 8.1.0 BETA3 and Twig 3.26.0. We also published an article about how we used Claude Mythos to analyze the Symfony and Twig codebases and uncover many of these security issues. Lastly, we announced that the Symfony UX 2.x branch is now in security-fixes-only maintenance mode and shared more details about the SymfonyOnline June 2026 conference.

Symfony development highlights

This week, 96 pull requests were merged (77 in code and 19 in docs) and 31 issues were closed (17 in code and 14 in docs). Excluding merges, 17 authors made additions and deletions. See details for code and docs.

6.4 changelog:

• e4aef97: [DomCrawler] fix ChoiceFormField::addChoice() clobbering values on multi-selects
• 802601c: [Security] add missing claims in OidcTokenHandler
• 6fccb4c: [HtmlSanitizer] fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and misclassification
• 2b1b3cc: [HtmlSanitizer] reject BiDi override characters and percent-encode spaces in URLs
• d790642: [TwigBridge] fix XSS issue in CodeExtension::fileExcerpt()
• 7abd0ae: [Mailer] reject Mailjet webhooks with missing or invalid Basic credentials
• 4aa4e68: [HtmlSanitizer] sanitize URLs in action, formaction, poster and cite attributes
• a3b60af: [Notifier] reject Twilio webhooks with missing or invalid HMAC signature
• 77a770d: [Runtime] fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING']
• 968dd09: [HttpKernel, WebProfilerBundle] check logs priority name for both WARNING and warning
• 53ebd2c: [AssetMapper] rewrite relative paths in export ... from statements
• c252904: [Translation] don't check the error message to know if Lokalise keys are missing

7.4 changelog:

• 8a1be31: [Messenger] fix PhpSerializer::getMessageType() when getting payload with Serializable instances
• 6efcde1: [Notifier] reject Lox24 webhooks with missing or invalid token
• 90bb9d2: [FrameworkBundle] sign transports for unrouted messages too
• 7fbd471: [HttpClient] various fixes and hardenings
• cfb3c14: [DependencyInjection] fix service() as invokable factory in array-based PHP config

8.1 changelog:

• 2353306: [Semaphore] various fixes and hardenings
• 4d9a0bc: [Console] various fixes and hardenings
• ff0a5d0: [Notifier] various fixes and hardenings
• 640ba19: [DoctrineBridge] various fixes and hardenings
• c173487: [JsonStreamer] various fixes and hardenings
• 46416e5: [Finder] various fixes and hardenings
• 3fafaa1: [Filesystem] various fixes and hardenings
• 823c99e: [TwigBridge] require Twig to 3.25 for EscaperRuntime service definition
• 912d4fa: [Messenger] various fixes and hardenings
• d8ba82b: [Validator] various fixes and hardenings
• c4277c7: [Mailer] various fixes and hardenings
• 3254cbb: [Form] various fixes and hardenings
• 3302556: [CssSelector] various fixes and hardenings
• c34cfc9: [ObjectMapper] various fixes and hardenings
• 31d57d5: [AssetMapper] various fixes and hardenings
• d794fd3: [Cache] various fixes and hardenings
• 1a1b1c6: [DependencyInjection] various fixes and hardenings
• 884a4f9: [DomCrawler] various fixes and hardenings
• 3ad6801: [EventDispatcher] various fixes and hardenings
• e22a2e2: [ExpressionLanguage] various fixes and hardenings
• c36edb8: [ErrorHandler] various fixes and hardenings
• 2fd1cc2: [Uid] various fixes and hardenings
• 72207cf: [FrameworkBundle] various fixes and hardenings
• 09b10cb: [HttpFoundation] various fixes and hardenings
• bc7233e: [HttpClient] various fixes and hardenings
• 702fcca: [Mailer] preserve the sent message object as is when sending it
• 492103e: [SecurityBundle] various fixes and hardenings
• 2a1c842: [Routing] fix missing HostTrait in ContentLoaderTrait
• fdaf891: [Yaml] various fixes and hardenings
• 711f8d7: [VarExporter] various fixes and hardenings
• 3ef8024: [Workflow] various fixes and hardenings
• 5d45a60: [Runtime] various fixes and hardenings
• 9d33cd2: [HttpKernel] various fixes and hardenings
• b813b39: [PasswordHasher] support stdin input and refine warning in security:hash-password
• ca2360a: [WebLink] add missing Link::AS_* constants for rel=preload / rel=modulepreload
• 4017fe2: [Lock] various fixes and hardenings
• 2ae4009: [WebProfilerBundle] various fixes and hardenings
• 5cf59f7: [Translation] various fixes and hardenings
• 1680f46: [Security] various fixes and hardenings
• f5a3175: [MonologBridge] harden MailerHandler subject truncation
• ce01d3f: [PropertyAccess] document PropertyPath::append() dispatch order and harden tests
• e84ce6e: [PropertyInfo] add tests for property-hook type extraction
• f585324: [Webhook] clarify doParse() contract
• f36a005: [Scheduler] document and test the debug:scheduler --sort option
• 4d80b14: [RateLimiter] harden calendar-aligned fixed window mode
• a6a11cf: [TypeInfo] harden ObjectShapeType
• 38b64ef: [Tui] various fixes and hardenings
• 0de65bf: [Serializer] improve normalizer error reporting and deprecations
• 48bf663: [TwigBridge] fix daisyUI form layout and AppVariable locale filtering
• d2bc3e1: [TwigBundle] various fixes and hardenings
• 7b1134c: [Tui] fix invisible border with null color in BorderPattern's inverse strategies
• d004e68: [Tui] fix unattached widget element styles
• e28b371: [FrameworkBundle, Validator] add framework.validation.property_metadata_existence_check config

Newest issues and pull requests

• [Tui] Add CollapsibleWidget
• [Form] Add MonthType
• [RFC] symfony/json-schema: TypeInfo → JSON Schema, for both API docs and AI tool schemas

Symfony Jobs

These are some of the most recent Symfony job offers:

• DevOps for a Symfony project at Cloudpepper
  Full-time - $150,000 – $180,000 / year
  Full remote
  View details
• Symfony Developer at Design Force Marketing
  Full-time - $60,000 – $100,000 / year
  Grand Haven Michigan, United States
  View details
• Backend Symfony Developer at ShipMonk
  Contract / Freelance - $5,000 – $8,000 / month
  Full remote
  View details
• Backend Symfony Developer at Vacatia
  Full-time - $150,000 – $180,000 / year
  Remote + part-time onsite (Portland, Oregon, United States)
  View details
• Backend Symfony Developer at POLAVIS
  Full-time - €30 – €45 / hour
  Full remote
  View details

You can publish a Symfony job offer for free on symfony.com.

SymfonyCasts Updates

SymfonyCasts is the official way to learn Symfony. Select a track for a guided path through 100+ video tutorial courses about Symfony, PHP and JavaScript.

This week, SymfonyCasts published the following updates:

• (Video) Upgrading to Symfony 8: Upgrading to Symfony 8.0!

They talked about us

• OpenTelemetry for Symfony: v2.0 is out
• Symfony DependencyInjection for Hexagonal: Autowiring the Whole Domain
• Stop N+1 Queries Forever: Advanced Doctrine ORM Strategies in Symfony 8.1
• Symfony Messenger as a Domain-Event Adapter (Without the Coupling)
• Symfony Is Also an Adapter (Yes, Even With All Its Glue)
• Symfony 8.1: A Technical Breakdown of What Actually Matters
• UX Toolkit: Come Creare Design System su Symfony con Componenti Riutilizzabili

Upcoming Symfony Events

• Symfony/PHP Meetup Barcelona by SensioLabs: Barcelona, Spain (June 25, 2026)
• Web Summer Camp 2026: Opatija, Croatia (July 2, 2026 – July 4, 2026)

Call to Action

• Follow Symfony on X, on Mastodon, on Bluesky and on Threads and share this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.