Symfony

This hub aggregates every CVE we track for Symfony, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Symfony.

• CVE-2026-24739Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations6.3Jan 28, 2026
• CVE-2025-68129Auth0-PHP SDK has Improper Audience Validation6.8Dec 17, 2025
• CVE-2025-64500Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass7.3Nov 12, 2025
• CVE-2024-36611In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request...7.5Nov 29, 2024
• CVE-2024-51996Symphony has an Authentication Bypass via RememberMe7.5Nov 13, 2024
• CVE-2024-50340Ability to change environment from query in symfony/runtime7.3Nov 6, 2024
• CVE-2024-50341Security::login does not take into account custom user_checker in symfony/security-bundle3.1Nov 6, 2024
• CVE-2024-50342Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client3.1Nov 6, 2024
• CVE-2024-50343Incorrect response from Validator when input ends with `\n` in symfony/validator3.1Nov 6, 2024
• CVE-2024-50345Open redirect via browser-sanitized URLs in symfony/http-foundation3.1Nov 6, 2024
• CVE-2023-46735Symfony potential Cross-site Scripting in WebhookController6.1Nov 10, 2023
• CVE-2023-46734Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters6.1Nov 10, 2023
• CVE-2023-46733Symfony possible session fixation vulnerability6.5Nov 10, 2023
• CVE-2022-24894Symfony storing cookie headers in HttpCache5.9Feb 3, 2023
• CVE-2022-24895Symfony vulnerable to Session Fixation of CSRF tokens6.3Feb 3, 2023