Have found a security issue in Symfony? Send the details to
security [at] symfony.com and don't
disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.
HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and Misclassification
May 20, 2026
#Security Advisories
Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
May 20, 2026
#Security Advisories
Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
May 20, 2026
#Security Advisories
OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
May 20, 2026
#Security Advisories
CVE-2026-45071 XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
May 20, 2026
#Security Advisories
Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering
May 20, 2026
#Security Advisories
SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
May 20, 2026
#Security Advisories
Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
May 20, 2026
#Security Advisories
HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
May 20, 2026
#Security Advisories
Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
May 20, 2026
#Security Advisories