« Security Advisories » blog posts

Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.

CVE-2026-48808 Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

May 27, 2026 #Security Advisories

CVE-2026-48807 Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators

Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` filters and via the `in`/`not in` operators

May 27, 2026 #Security Advisories

CVE-2026-48747 Mailomat Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

May 27, 2026 #Security Advisories

CVE-2026-48760 HtmlSanitizer URL Parser Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass

HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

May 27, 2026 #Security Advisories

CVE-2026-48736 IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms: SSRF Bypass in NoPrivateNetworkHttpClient

IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient

May 27, 2026 #Security Advisories

CVE-2026-48761 HtmlSanitizer Misses URL Attributes on object, applet, iframe, img and meta refresh

HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on object, applet, iframe, img and the URL Inside meta http-equiv="refresh" content

May 27, 2026 #Security Advisories

CVE-2026-48784 UrlGenerator Encoding Skips Every Other Chained ../ or ./: Generated URL Collapses Off-Route

UrlGenerator Dot-Segment Encoding Skips Every Other Chained ../ or ./: Generated URL Collapses Off-Route Under RFC 3986 Normalization

May 27, 2026 #Security Advisories ❤️ 1

CVE-2026-48489 Security Firewall Bypass via failure_forward Subrequest

Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes

May 27, 2026 #Security Advisories

CVE-2026-46644 insecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels

symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence

May 26, 2026 #Security Advisories 👍 1

CVE-2026-45070 Email Header Injection via Non-Token Characters in Mime Parameter Names

Email Header Injection via Non-Token Characters in Mime Parameter Names

May 20, 2026 #Security Advisories