Have found a security issue in Symfony? Send the details to
security [at] symfony.com and don't
disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.
XSS in profiler HtmlDumper via unescaped template and profile names
May 20, 2026
#Security Advisories
HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
May 20, 2026
#Security Advisories
`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
May 20, 2026
#Security Advisories
Sandbox property and method bypass via object-destructuring assignment
May 20, 2026
#Security Advisories
Arbitrary PHP code execution via `_self.(
May 20, 2026
#Security Advisories
Sandbox property allowlist bypass via the `column` filter (array_column on objects)
May 20, 2026
#Security Advisories
Possible sandbox bypass when using a source policy
May 20, 2026
#Security Advisories
CVE-2026-24739: Incorrect argument escaping under MSYS2/Git Bash on Windows can lead to destructive file operations
January 28, 2026
#Security Advisories
❤️ 1
CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass
November 12, 2025
#Security Advisories
👀 5
👍 7
🎉 1