symfony

Top products

The 15 most recently published vulnerabilities affecting symfony.

• CVE-2026-24425Twig 2.16.x & 3.9.0-3.25.x Sandbox Bypass via SourcePolicyInterface8.8May 20, 2026
• CVE-2026-24739Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations6.3Jan 28, 2026
• CVE-2025-64500Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass7.3Nov 12, 2025
• CVE-2025-47946symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes6.1May 19, 2025
• CVE-2024-51996Symphony has an Authentication Bypass via RememberMe7.5Nov 13, 2024
• CVE-2024-50340Ability to change environment from query in symfony/runtime7.3Nov 6, 2024
• CVE-2024-50341Security::login does not take into account custom user_checker in symfony/security-bundle3.1Nov 6, 2024
• CVE-2024-50342Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client3.1Nov 6, 2024
• CVE-2024-50343Incorrect response from Validator when input ends with `\n` in symfony/validator3.1Nov 6, 2024
• CVE-2024-50345Open redirect via browser-sanitized URLs in symfony/http-foundation3.1Nov 6, 2024
• CVE-2024-45411Twig has a possible sandbox bypass8.5Sep 9, 2024
• CVE-2023-46735Symfony potential Cross-site Scripting in WebhookController6.1Nov 10, 2023
• CVE-2023-46734Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters6.1Nov 10, 2023
• CVE-2023-46733Symfony possible session fixation vulnerability6.5Nov 10, 2023
• CVE-2023-41336Prevent injection of invalid entity ids for "autocomplete" fields in symfony ux-autocomplete6.5Sep 11, 2023