Symfony 8.1.0-BETA3 has just been released.

This is a pre-release version of Symfony 8.1. If you want to test it in your own applications before its final release, run the following commands:

1
2
3
$ composer config minimum-stability beta
$ composer config extra.symfony.require "8.1.*"
$ composer update

These commands assume that all your Symfony dependencies in composer.json use * as their version constraint. Otherwise, you will need to update the version constraints of those Symfony dependencies to 8.1.*.

Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your project.

Tip

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Changelog Since Symfony 8.1.0-BETA2

  • data #64307 Release v8.1.0-BETA3
  • data #64303 Release v6.4.40
  • security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (@nicolas-grekas)
  • security #cve-2026-45754 [Notifier][Lox24] Reject webhooks with missing or invalid token (@nicolas-grekas)
  • security #cve-2026-47212 [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature (@nicolas-grekas)
  • security #cve-2026-45753 [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
  • security #cve-2026-45754 [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials (@alexandre-daubois)
  • security #cve-2026-45072 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() (@nicolas-grekas)
  • security #cve-2026-45064 [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
  • security #cve-2026-45066 [HtmlSanitizer] Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)
  • security #cve-2026-45069 [Security] Add missing claims in OidcTokenHandler (@alexandre-daubois)
  • bug #64301 [TwigBundle] Various fixes and hardenings (@nicolas-grekas)
  • bug #64300 [TwigBridge] Fix daisyUI form layout and AppVariable locale filtering (@nicolas-grekas)
  • bug #64296 [Serializer] Improve normalizer error reporting and deprecations (@nicolas-grekas)
  • bug #64297 [Tui] Various fixes and hardenings (@nicolas-grekas)
  • bug #64299 [TypeInfo] Harden ObjectShapeType (@nicolas-grekas)
  • bug #64294 [RateLimiter] Harden calendar-aligned fixed window mode (@nicolas-grekas)
  • bug #64291 [MonologBridge] Harden MailerHandler subject truncation (@nicolas-grekas)
  • bug #64290 [Security] Various fixes and hardenings (@nicolas-grekas)
  • bug #64287 [Translation] Various fixes and hardenings (@nicolas-grekas)
  • bug #64286 [WebProfilerBundle] Various fixes and hardenings (@nicolas-grekas)
  • bug #64283 [Lock] Various fixes and hardenings (@nicolas-grekas)
  • bug #64285 [WebLink] Add missing Link::AS_* constants for rel=preload / rel=modulepreload (@nicolas-grekas)
  • feature #64284 [PasswordHasher] Support stdin input and refine warning in security:hash-password (@nicolas-grekas)
  • bug #64273 [HttpKernel] Various fixes and hardenings (@nicolas-grekas)
  • bug #64276 [Runtime] Various fixes and hardenings (@nicolas-grekas)
  • bug #64280 [Workflow] Various fixes and hardenings (@nicolas-grekas)
  • bug #64275 [Routing] Fix missing HostTrait in ContentLoaderTrait (@nicolas-grekas)
  • bug #64274 [SecurityBundle] Various fixes and hardenings (@nicolas-grekas)
  • bug #64272 [Mailer] Preserve the sent message object as is when sending it (@nicolas-grekas)
  • bug #64243 [HttpClient] Various fixes and hardenings (@nicolas-grekas)
  • bug #64269 [HttpFoundation] Various fixes and hardenings (@nicolas-grekas)
  • bug #64268 [FrameworkBundle] Various fixes and hardenings (@nicolas-grekas)
  • bug #64263 [ExpressionLanguage] Various fixes and hardenings (@nicolas-grekas)
  • bug #64262 [EventDispatcher] Various fixes and hardenings (@nicolas-grekas)
  • bug #64256 [DomCrawler] Various fixes and hardenings (@nicolas-grekas)
  • bug #64254 [DependencyInjection] Various fixes and hardenings (@nicolas-grekas)
  • bug #64252 [AssetMapper] Various fixes and hardenings (@nicolas-grekas)
  • bug #64251 [ObjectMapper] Various fixes and hardenings (@nicolas-grekas)
  • bug #64250 [CssSelector] Various fixes and hardenings (@nicolas-grekas)
  • bug #64249 [Form] Various fixes and hardenings (@nicolas-grekas)
  • bug #64248 [Mailer] Various fixes and hardenings (@nicolas-grekas)
  • bug #64239 [Validator] Various fixes and hardenings (@nicolas-grekas)
  • bug #64237 [Messenger] Various fixes and hardenings (@nicolas-grekas)
  • bug #64242 [TwigBridge] Require Twig to 3.25 for EscaperRuntime service definition (@GromNaN)
  • bug #64258 [DomCrawler] Fix ChoiceFormField::addChoice() clobbering values on multi-selects (@nicolas-grekas)
  • bug #64261 [Messenger] Fix PhpSerializer::getMessageType() when getting payload with Serializable instances (@nicolas-grekas)
  • bug #64207 [MonologBridge] Fix interactive_only not preventing propagation (@philbates35)
  • bug #64241 [JsonStreamer] Various fixes and hardenings (@nicolas-grekas)
  • bug #64255 [DoctrineBridge] Various fixes and hardenings (@nicolas-grekas)
  • bug #64246 [Console] Various fixes and hardenings (@nicolas-grekas)
  • bug #64244 [Semaphore] Various fixes and hardenings (@nicolas-grekas)
  • bug #64214 [HttpKernel] Preserve named-attribute override on Request/Session value resolvers (@nicolas-grekas)
  • bug #64215 [Runtime] Fix TypeError when resolving untyped arguments (@nicolas-grekas)
  • security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (@nicolas-grekas)
  • security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (@nicolas-grekas)
  • security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (@nicolas-grekas)
  • security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling validateOnParse (@alexandre-daubois)
  • security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (@alexandre-daubois)
  • security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
  • security #cve-2026-45065 [Routing] Fix regex alternation anchoring in UrlGenerator requirement validation (@alexandre-daubois)
  • security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (@alexandre-daubois)
  • security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (@nicolas-grekas)
  • security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (@nicolas-grekas)
  • security #cve-2026-45755 [Mailer][Mailtrap] Reject webhooks with missing or invalid HMAC signature (@alexandre-daubois)
  • security #cve-2026-45756 [JsonPath] Cap regex backtracking in match()/search() to prevent ReDoS (@alexandre-daubois)
  • security #cve-2026-45074 [Security] Require configuring trusted hosts when using CAS authentication (@nicolas-grekas)
  • security #cve-2026-45075 [Security][HttpKernel] Fix HEAD requests bypassing methods filter in IsGranted, IsCsrfTokenValid and IsSignatureValid attributes (@nicolas-grekas)
  • bug #64213 [Security] Fix impersonation being deauthenticated on every request (@nicolas-grekas)
  • data #64202 Release v8.0.11
  • data #64201 Release v7.4.11
  • data #64200 Release v6.4.39
Published in #Releases