GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
27 advisories
Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
Moderate
CVE-2026-48784
was published
for
symfony/routing
(Composer)
Jun 15, 2026
Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
Moderate
CVE-2026-48760
was published
for
symfony/html-sanitizer
(Composer)
Jun 15, 2026
Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade
Moderate
CVE-2026-48747
was published
for
symfony/mailomat-mailer
(Composer)
Jun 15, 2026
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Moderate
CVE-2026-48736
was published
for
symfony/http-client
(Composer)
Jun 15, 2026
Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes
High
CVE-2026-48489
was published
for
symfony/security-http
(Composer)
Jun 15, 2026
Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes
Moderate
CVE-2026-48761
was published
for
symfony/html-sanitizer
(Composer)
Jun 15, 2026
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
Moderate
CVE-2026-47767
was published
for
symfony/runtime
(Composer)
Jun 9, 2026
Twig: XSS in profiler HtmlDumper via unescaped template and profile names
Low
CVE-2026-47730
was published
for
twig/twig
(Composer)
Jun 5, 2026
Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification
Moderate
CVE-2026-47212
was published
for
symfony/symfony
(Composer)
May 29, 2026
symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form
Low
CVE-2026-46644
was published
for
symfony/polyfill
(Composer)
May 28, 2026
Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection
Moderate
CVE-2026-45754
was published
for
symfony/lox24-notifier
(Composer)
May 28, 2026
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)
Low
CVE-2026-45753
was published
for
symfony/html-sanitizer
(Composer)
May 28, 2026
Symfony hardened the parser when handling untrusted input
Low
CVE-2026-45133
was published
for
symfony/symfony
(Composer)
May 27, 2026
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
High
CVE-2026-45077
was published
for
symfony/monolog-bridge
(Composer)
May 27, 2026
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
Moderate
CVE-2026-45074
was published
for
symfony/security-http
(Composer)
May 27, 2026
Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
Moderate
CVE-2026-45073
was published
for
symfony/cache
(Composer)
May 27, 2026
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
Moderate
CVE-2026-45064
was published
for
symfony/html-sanitizer
(Composer)
May 27, 2026
Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
Moderate
CVE-2026-24739
was published
for
symfony/process
(Composer)
Jan 28, 2026
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
High
CVE-2025-64500
was published
for
symfony/http-foundation
(Composer)
Nov 12, 2025
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
Low
CVE-2024-51755
was published
for
twig/twig
(Composer)
Nov 6, 2024
Symfony vulnerable to command execution hijack on Windows with Process class
High
CVE-2024-51736
was published
for
symfony/process
(Composer)
Nov 6, 2024
Symfony vulnerable to open redirect via browser-sanitized URLs
Low
CVE-2024-50345
was published
for
symfony/http-foundation
(Composer)
Nov 6, 2024
Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient
Low
CVE-2024-50342
was published
for
symfony/http-client
(Composer)
Nov 6, 2024
Symfony potential Cross-site Scripting in WebhookController
Moderate
CVE-2023-46735
was published
for
symfony/symfony
(Composer)
Nov 12, 2023
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters
Moderate
CVE-2023-46734
was published
for
symfony/symfony
(Composer)
Nov 12, 2023
ProTip!
Advisories are also available from the
GraphQL API