Symfony 8.1 curated new features

May 29, 2026 #Symfony ❤️ 13 🚀 1 🎉 5

CVE-2026-48747 Mailomat Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

May 27, 2026 #Symfony

CVE-2026-48736 IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms: SSRF Bypass in NoPrivateNetworkHttpClient

IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient

May 27, 2026 #Symfony

CVE-2026-48760 HtmlSanitizer URL Parser Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass

HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

May 27, 2026 #Symfony

CVE-2026-48761 HtmlSanitizer Misses URL Attributes on object, applet, iframe, img and meta refresh

HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on object, applet, iframe, img and the URL Inside meta http-equiv="refresh" content

May 27, 2026 #Symfony

CVE-2026-48784 UrlGenerator Encoding Skips Every Other Chained ../ or ./: Generated URL Collapses Off-Route

UrlGenerator Dot-Segment Encoding Skips Every Other Chained ../ or ./: Generated URL Collapses Off-Route Under RFC 3986 Normalization

May 27, 2026 #Symfony ❤️ 1

CVE-2026-48489 Security Firewall Bypass via failure_forward Subrequest

Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes

May 27, 2026 #Symfony

CVE-2026-46644 insecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels

symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence

May 26, 2026 #Symfony 👍 1

Claude Mythos Audited Symfony and Found 19 Vulnerabilities

Claude Mythos Preview, Anthropic's unreleased model, audited Symfony and Twig code and reported 19 vulnerabilities. All of them turned out to be real.

May 21, 2026 #Symfony 👀 2 ❤️ 30 👍 11 🚀 13 🎉 3

CVE-2026-45070 Email Header Injection via Non-Token Characters in Mime Parameter Names

Email Header Injection via Non-Token Characters in Mime Parameter Names

May 20, 2026 #Symfony

« Symfony » blog posts

Symfony 8.1 curated new features

CVE-2026-48747 Mailomat Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

CVE-2026-48736 IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms: SSRF Bypass in NoPrivateNetworkHttpClient

CVE-2026-48760 HtmlSanitizer URL Parser Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass

CVE-2026-48761 HtmlSanitizer Misses URL Attributes on object, applet, iframe, img and meta refresh

CVE-2026-48784 UrlGenerator Encoding Skips Every Other Chained ../ or ./: Generated URL Collapses Off-Route

CVE-2026-48489 Security Firewall Bypass via failure_forward Subrequest

CVE-2026-46644 insecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels

Claude Mythos Audited Symfony and Found 19 Vulnerabilities

CVE-2026-45070 Email Header Injection via Non-Token Characters in Mime Parameter Names

Become a Symfony contributor