If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.

CVE-2017-16790: Ensure that submitted data are uploaded files

CVE-2017-16790 checks that submitted data are uploaded files.

November 17, 2017 Fabien Potencier

CVE-2017-11365: Empty passwords validation issue

CVE-2017-11365 fixes a regression which allows empty passwords to be always valid for any user.

July 17, 2017 Fabien Potencier

CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an empty password

CVE-2016-2403 fixes an unauthorized access on a misconfigured Ldap server when using an empty password

May 9, 2016 Fabien Potencier

CVE-2016-4423: Large username storage in session

CVE-2016-4423 avoids storing large usernames in UsernamePasswordFormAuthenticationListener.

May 9, 2016 Fabien Potencier

CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails

CVE-2016-1902 fixes the SecureRandom class when OpenSSL fails.

January 18, 2016 Fabien Potencier

CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service

CVE-2015-8125 fixes a potential remote timing attack vulnerability in Security remember-me service.

November 23, 2015 Fabien Potencier

CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature

CVE-2015-8124 fixes a session fixation in the "Remember Me" login feature.

November 23, 2015 Fabien Potencier

CVE-2015-4050: ESI unauthorized access

CVE-2015-4050 fixes unauthorized access when using ESI.

May 27, 2015 Fabien Potencier

CVE-2015-2308: Esi Code Injection

CVE-2015-2308 is about possible code injections via the ESI framework.

April 1, 2015 Fabien Potencier

CVE-2015-2309: Unsafe methods in the Request class

CVE-2015-2309 fixes some unsafe methods in the Request class.

April 1, 2015 Fabien Potencier