Have found a security issue in Symfony? Send the details to
security [at] symfony.com and don't
disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.
symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence
May 26, 2026
#Security Advisories
👍 1
Email Header Injection via Non-Token Characters in Mime Parameter Names
May 20, 2026
#Security Advisories
Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection
May 20, 2026
#Security Advisories
JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits: ReDoS
May 20, 2026
#Security Advisories
Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection
May 20, 2026
#Security Advisories
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
May 20, 2026
#Security Advisories
Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection
May 20, 2026
#Security Advisories
HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
May 20, 2026
#Security Advisories
Identity Spoofing via Unanchored DN Regex in X509Authenticator
May 20, 2026
#Security Advisories
UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
May 20, 2026
#Security Advisories