Symfony/symfony

This hub aggregates every CVE we track for Symfony/symfony, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Symfony/symfony.

• CVE-2026-24739Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations6.3Jan 28, 2026
• CVE-2025-64500Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass7.3Nov 12, 2025
• CVE-2024-50340Ability to change environment from query in symfony/runtime7.3Nov 6, 2024
• CVE-2024-50341Security::login does not take into account custom user_checker in symfony/security-bundle3.1Nov 6, 2024
• CVE-2024-50342Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client3.1Nov 6, 2024
• CVE-2024-50343Incorrect response from Validator when input ends with `\n` in symfony/validator3.1Nov 6, 2024
• CVE-2023-46735Symfony potential Cross-site Scripting in WebhookController6.1Nov 10, 2023
• CVE-2023-46734Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters6.1Nov 10, 2023
• CVE-2023-46733Symfony possible session fixation vulnerability6.5Nov 10, 2023
• CVE-2022-24894Symfony storing cookie headers in HttpCache5.9Feb 3, 2023
• CVE-2022-24895Symfony vulnerable to Session Fixation of CSRF tokens6.3Feb 3, 2023
• CVE-2021-41270CSV Injection in Symfony6.5Nov 24, 2021
• CVE-2021-41267Webcache Poisoning in Symfony6.5Nov 24, 2021
• CVE-2021-41268Cookie persistence in Symfony6.5Nov 24, 2021
• CVE-2021-32693Authentication granted with multiple firewalls6.8Jun 17, 2021