Have found a security issue in Symfony? Send the details to
security [at] symfony.com and don't
disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.
CVE-2019-18887 fixes an issue where one could guess the signature of an URI using a remote timing attack.
November 13, 2019
#Security Advisories
CVE-2019-18889 fixes an issue where the destructor of TagAwareAdapter execute callables stored in properties, leading to possible remote code execution when an external payload is unserialized.
November 13, 2019
#Security Advisories
CVE-2019-10910 fixes an issue where crafted service IDs could be executed as code
April 17, 2019
#Security Advisories
CVE-2019-10911 fixes an issue where there was not a clear differentiation between different parts of the content of a cookie allowing for potential to authenticate as a different user in particular situations
April 17, 2019
#Security Advisories
CVE-2019-10909 fixes an issue where when using the form theme of the PHP templating engine validation messages were not correctly escaped.
April 17, 2019
#Security Advisories
CVE-2019-10912 fixes an issue where files could be deleted or raw output echoed when some classes were unserialized.
April 17, 2019
#Security Advisories
CVE-2019-10913 ensures that HTTP Methods are sanitized for use in unescaped contexts.
April 17, 2019
#Security Advisories
Fixing a vulnerability in Twig's sandbox mode.
March 12, 2019
#Security Advisories
CVE-2018-19789 fixes a possible disclosure of an uploaded temporary file's full path in the form component
December 6, 2018
#Security Advisories
CVE-2018-19790 fixes an open redirect vulnerability when using Security\Http
December 6, 2018
#Security Advisories