If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.

CVE-2019-10913: Reject invalid HTTP method overrides

CVE-2019-10913 ensures that HTTP Methods are sanitized for use in unescaped contexts.

CVE-2019-10910: Check service IDs are valid

CVE-2019-10910 fixes an issue where crafted service IDs could be executed as code

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

CVE-2019-10912 fixes an issue where files could be deleted or raw output echoed when some classes were unserialized.

CVE-2019-10911: Add a separator in the remember me cookie hash

CVE-2019-10911 fixes an issue where there was not a clear differentiation between different parts of the content of a cookie allowing for potential to authenticate as a different user in particular situations

Twig: Sandbox Information Disclosure

Fixing a vulnerability in Twig's sandbox mode.

CVE-2018-19789: Disclosure of uploaded files full path

CVE-2018-19789 fixes a possible disclosure of an uploaded temporary file's full path in the form component

CVE-2018-19790: Open Redirect Vulnerability when using Security\Http

CVE-2018-19790 fixes an open redirect vulnerability when using Security\Http

CVE-2018-14774: Possible host header injection when using HttpCache

CVE-2018-14774 fixes a possible host header injection when using HttpCache

CVE-2018-14773: Remove support for legacy and risky HTTP headers

CVE-2018-14773 fixes a possible URL injection in HttpFoundation

CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password

CVE-2018-11407 fixes an unauthorized access on a misconfigured LDAP server when using an empty password.