Symfony/http-foundation

This hub aggregates every CVE we track for Symfony/http-foundation, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 9 most recently published vulnerabilities affecting Symfony/http-foundation.

• CVE-2025-64500Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass7.3Nov 12, 2025
• CVE-2024-50345Open redirect via browser-sanitized URLs in symfony/http-foundation3.1Nov 6, 2024
• CVE-2020-5255Prevent cache poisoning via a Response Content-Type header2.6Mar 30, 2020
• CVE-2013-4752Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when th...6.1Jan 2, 2020
• CVE-2019-18888An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which M...7.5Nov 21, 2019
• CVE-2019-10913In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted in...9.8May 16, 2019
• CVE-2018-14773An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arise...6.5Aug 3, 2018
• CVE-2018-11386An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler...5.9Jun 13, 2018
• CVE-2012-6431Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly...6.4Dec 27, 2012