Symfony 5.4.52 has just been released.
Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your project.
Tip
Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.
Changelog Since Symfony 5.4.51
- data #64302 Release v5.4.52
- security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (@nicolas-grekas)
- security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (@nicolas-grekas)
- security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (@nicolas-grekas)
- security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (@nicolas-grekas)
- security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling validateOnParse (@alexandre-daubois)
- security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (@alexandre-daubois)
- security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
- security #cve-2026-45065 [Routing] Fix regex alternation anchoring in UrlGenerator requirement validation (@alexandre-daubois)
- security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (@alexandre-daubois)
- security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (@nicolas-grekas)
- security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (@nicolas-grekas)
Published in
#Releases