Symfony 8.1.0-RC1 has just been released.

This is a pre-release version of Symfony 8.1. If you want to test it in your own applications before its final release, run the following commands:

1
2
3
$ composer config minimum-stability rc
$ composer config extra.symfony.require "8.1.*"
$ composer update

These commands assume that all your Symfony dependencies in composer.json use * as their version constraint. Otherwise, you will need to update the version constraints of those Symfony dependencies to 8.1.*.

Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your project.

Tip

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Changelog Since Symfony 8.1.0-BETA3

  • data #64377 Release v8.1.0-RC1
  • security #cve-2026-48747 [Mailer] Pin Mailomat webhook signature algorithm to SHA-256 (@nicolas-grekas)
  • security #cve-2026-48761 [HtmlSanitizer] Sanitize URL attributes on <object>, <applet>, <iframe>, <img>, and the URL inside <meta http-equiv="refresh"> content (@nicolas-grekas)
  • security #cve-2026-48760 [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
  • security #cve-2026-48736 [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS (@nicolas-grekas)
  • security #cve-2026-48736 [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient (@nicolas-grekas)
  • security #cve-2026-48489 [Security] Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
  • security #cve-2026-48784 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs (@nicolas-grekas)
  • bug #64356 [Tui] Throw when ext-zip is not installed and one tries to load a zipped figlet (@nicolas-grekas)
  • bug #64355 [Console] Format message in ConsoleSectionOutput::overwrite() (@nicolas-grekas)
  • bug #64349 [HttpClient] ntlm regression on authPersistNonNTLM=false connections with reset() (@Dooij)
  • bug #64348 [FrameworkBundle] Allow to pass doctrine_open_transaction_logger’s entity manager name positionally (@MatTheCat)
  • feature #64334 [Form] Add handle_missing_data option to opt into MissingDataHandler for absent forms (@hlecorche)
  • bug #64345 [Mime][String] Reject objects in typed-string properties during __unserialize (@nicolas-grekas)
  • bug #64344 [Mailer][Notifier] Harden Mailchimp signature comparison and Smsbox IP allowlist (@nicolas-grekas)
  • bug #64330 [Cache] Fix strlen(null) deprecation on RelayCluster path in RedisTrait::doClear() (@signor-pedro)
  • bug #64335 [Scheduler] Recover pending RecurringMessages after consumer stops midway (@ousamabenyounes)
  • bug #64338 [SecurityBundle] Fix Security::login() across firewalls (@ousamabenyounes)
  • bug #64347 [Process] Stop leaking CGI/FastCGI request-context vars to subprocesses (@nicolas-grekas)
  • bug #64343 [Mime][RateLimiter][Routing][Security] Harden __unserialize against __toString trampolines (@nicolas-grekas)
  • bug #64342 [HtmlSanitizer] Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)
  • bug #64341 [FrameworkBundle][Mailer] Harden default IP allowlist for Postmark and Brevo webhook parsers (@nicolas-grekas)
  • bug #64337 [Security] Initialize lazy users before serializing them (@MatTheCat)
  • bug #64346 [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args (@nicolas-grekas)
  • bug #64336 [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (@nicolas-grekas)
  • bug #64316 [Yaml] Allow trailing newlines after the end-of-document marker (@nicolas-grekas)
  • bug #64289 [Translation] Don’t check the error message to know if Lokalise keys are missing (@MatTheCat)
  • bug #64208 [AssetMapper] Rewrite relative paths in export ... from statements (@ousamabenyounes)
  • bug #64311 [DependencyInjection] Fix service() as invokable factory in array-based PHP config (@nicolas-grekas)
  • feature #64312 [FrameworkBundle][Validator] Add framework.validation.property_metadata_existence_check config (@nicolas-grekas)
  • bug #64310 [HttpKernel][WebProfilerBundle] Check logs priority name for both WARNING and warning (@MatTheCat)
  • bug #64260 [HttpClient] Various fixes and hardenings (@Lctrs)
  • bug #64260 [HttpClient] Various fixes and hardenings (@Lctrs)
  • bug #64234 [Tui] Fix unattached widget element styles (@masskrdjn)
  • bug #64309 [FrameworkBundle] Sign transports for unrouted messages too (@nicolas-grekas)
  • bug #64223 [Tui] Fix invisible border with null color in BorderPattern's inverse strategies (@sblondeau)
  • data #64306 Release v8.0.12
  • data #64305 Release v7.4.12
  • data #64302 Release v5.4.52
Published in #Releases