Symfony 6.4.40 has just been released.

Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your project.

Tip

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Changelog Since Symfony 6.4.39

  • data #64303 Release v6.4.40
  • security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (@nicolas-grekas)
  • security #cve-2026-47212 [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature (@nicolas-grekas)
  • security #cve-2026-45753 [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
  • security #cve-2026-45754 [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials (@alexandre-daubois)
  • security #cve-2026-45072 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() (@nicolas-grekas)
  • security #cve-2026-45064 [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
  • security #cve-2026-45066 [HtmlSanitizer] Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)
  • security #cve-2026-45069 [Security] Add missing claims in OidcTokenHandler (@alexandre-daubois)
  • bug #64258 [DomCrawler] Fix ChoiceFormField::addChoice() clobbering values on multi-selects (@nicolas-grekas)
  • bug #64214 [HttpKernel] Preserve named-attribute override on Request/Session value resolvers (@nicolas-grekas)
  • security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (@nicolas-grekas)
  • security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (@nicolas-grekas)
  • security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (@nicolas-grekas)
  • security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling validateOnParse (@alexandre-daubois)
  • security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (@alexandre-daubois)
  • security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
  • security #cve-2026-45065 [Routing] Fix regex alternation anchoring in UrlGenerator requirement validation (@alexandre-daubois)
  • security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (@alexandre-daubois)
  • security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (@nicolas-grekas)
  • security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (@nicolas-grekas)
Published in #Releases