Symfony Process vulnerabilities

CVE-2026-24739 [MEDIUM] CWE-88 Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows ### Summary The Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native

CVE-2024-3566 process: command injection via argument list on Windows process: command injection via argument list on Windows # process: command injection via argument list on Windows The *process* library on Windows is vulnerable to a command injection vulnerability, via `cmd.exe`'s interpretation of arguments. Programs that invoke batch files (`.bat`, `.cmd`) and pass arguments whose values are affected by program inputs may be affected. This issue was discovered in many programming languag

CVE-2024-51736 [HIGH] CWE-77 Symfony vulnerable to command execution hijack on Windows with Process class Symfony vulnerable to command execution hijack on Windows with Process class ### Description On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this