Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection
May 20, 2026
#Symfony
Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection
May 20, 2026
#Symfony
Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection
May 20, 2026
#Symfony
JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits: ReDoS
May 20, 2026
#Symfony
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
May 20, 2026
#Symfony
Identity Spoofing via Unanchored DN Regex in X509Authenticator
May 20, 2026
#Symfony
HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
May 20, 2026
#Symfony
UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
May 20, 2026
#Symfony
HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and Misclassification
May 20, 2026
#Symfony
Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
May 20, 2026
#Symfony