Sensiolabs Symfony vulnerabilities

CVE-2026-24739 [MEDIUM] CWE-88 CVE-2026-24739: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Pr Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Gi

CVE-2025-64500 [HIGH] CWE-647 CVE-2025-64500: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Sy Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to rep

CVE-2024-51736 [CRITICAL] CWE-77 CVE-2024-51736: Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versi

CVE-2024-50345 [MEDIUM] CWE-601 CVE-2024-50345: symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request:

CVE-2023-46733 [MEDIUM] CWE-384 CVE-2023-46733: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. St Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifie

CVE-2023-46734 [MEDIUM] CWE-79 CVE-2023-46734: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. St Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escap

CVE-2023-46735 [MEDIUM] CWE-79 CVE-2023-46735: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. St Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now doesn't return any user-submitted input in its response.

CVE-2022-24895 [HIGH] CWE-384 CVE-2022-24895: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Wh Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mech

CVE-2022-24894 [HIGH] CWE-285 CVE-2022-24894: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Th Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might contain a `Set-Cookie` header. If the Symfony H

CVE-2022-23601 [HIGH] CWE-352 CVE-2022-23601: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Th Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disa

CVE-2021-41268 [HIGH] CWE-384 CVE-2021-41268: Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console appli Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the passw

CVE-2021-41267 [MEDIUM] CWE-444 CVE-2021-41267: Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console ap Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` heade

CVE-2021-41270 [MEDIUM] CWE-1236 CVE-2021-41270: Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framewor Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt

CVE-2021-32693 [HIGH] CWE-287 CVE-2021-32693: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the firewalls was available for all other firewalls. This cou

CVE-2021-21424 [MEDIUM] CWE-200 CVE-2021-21424: Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Th Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user

CVE-2020-15094 [HIGH] CWE-212 CVE-2020-15094: In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind

CVE-2020-5275 [HIGH] CWE-285 CVE-2020-5275: In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control ru In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisi

CVE-2020-5274 [MEDIUM] CWE-209 CVE-2020-5274: In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escap In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. Thi

CVE-2020-5255 [MEDIUM] CWE-435 CVE-2020-5255: In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` head In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of

CVE-2013-4752 [MEDIUM] CWE-79 CVE-2013-4752: Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and c