Have found a security issue in Symfony? Send the details to
security [at] symfony.com and don't
disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.
YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings
May 20, 2026
#Security Advisories
HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite: javascript: URI Survives Sanitization (XSS)
May 20, 2026
#Security Advisories
YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
May 20, 2026
#Security Advisories
YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
May 20, 2026
#Security Advisories
CVE-2026-47732 Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
May 20, 2026
#Security Advisories
Sandbox does not protect against resource exhaustion
May 20, 2026
#Security Advisories
`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
May 20, 2026
#Security Advisories
PHP code injection via `{% use %}` template name
May 20, 2026
#Security Advisories
Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
May 20, 2026
#Security Advisories
The `spaceless` filter implicitly marks its output as safe
May 20, 2026
#Security Advisories