| CVE-2026-45064 |
medium |
— |
5.5 |
8d ago |
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing |
|
| CVE-2026-45065 |
medium |
— |
5.5 |
8d ago |
Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection |
|
| CVE-2026-45066 |
medium |
— |
5.5 |
8d ago |
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification |
|
| CVE-2026-45068 |
medium |
— |
5.5 |
8d ago |
Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address |
|
| CVE-2026-45069 |
medium |
— |
5.5 |
8d ago |
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims |
|
| CVE-2026-45070 |
medium |
— |
5.5 |
8d ago |
Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names |
|
| CVE-2026-45073 |
medium |
— |
5.5 |
8d ago |
Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix |
|
| CVE-2026-45074 |
medium |
— |
5.5 |
8d ago |
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay |
|
| CVE-2026-45075 |
medium |
— |
5.5 |
8d ago |
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] |
|