CVE-2026-24739 — Argument Injection in Symfony

CWE-88 — Argument Injection6 documents6 sources

Severity

6.3MEDIUMNVD

EPSS

0.0%

top 99.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Sensiolabs Symfony Symfony Process

Timeline

PublishedJan 28

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these c…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 1.0 | Impact: 5.2

Affected Packages4 packages

▶Packagistsymfony/process6.4 — 6.4.33+4

▶CVEListV5symfony/symfony< 5.4.51+4

▶Packagistsymfony/symfony6.4 — 6.4.33+4

▶NVDsensiolabs/symfony6.4.0 — 6.4.33+4

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows↗2026-01-28

▶

CVEList

Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations↗2026-01-28

▶

GHSA

Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows↗2026-01-28

▶

📋Vendor Advisories

Debian

CVE-2026-24739: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24739 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶